From owner-freebsd-questions@FreeBSD.ORG  Sat Aug 25 21:13:57 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D84BE16A417
	for <freebsd-questions@freebsd.org>;
	Sat, 25 Aug 2007 21:13:57 +0000 (UTC)
	(envelope-from dan@dan.emsphone.com)
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by mx1.freebsd.org (Postfix) with ESMTP id A218413C467
	for <freebsd-questions@freebsd.org>;
	Sat, 25 Aug 2007 21:13:57 +0000 (UTC)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.14.1/8.14.1) id l7PLDqFu043109;
	Sat, 25 Aug 2007 16:13:52 -0500 (CDT) (envelope-from dan)
Date: Sat, 25 Aug 2007 16:13:52 -0500
From: Dan Nelson <dnelson@allantgroup.com>
To: Aminuddin <amin.scg@gmail.com>
Message-ID: <20070825211352.GB25055@dan.emsphone.com>
References: <20070825120018.9D41816A49E@hub.freebsd.org>
	<46d05dcf.0abd720a.60a8.fffff7d0@mx.google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <46d05dcf.0abd720a.60a8.fffff7d0@mx.google.com>
X-OS: FreeBSD 7.0-CURRENT
User-Agent: Mutt/1.5.16 (2007-06-09)
Cc: freebsd-questions@freebsd.org
Subject: Re: How to block 200K ip addresses?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Aug 2007 21:13:57 -0000

In the last episode (Aug 26), Aminuddin said:
> How do you block this large range of ip addresses from different
> subnet? IPFW only allows 65536 rules while this will probably use up
> a few hundred thousands of lines.
> 
> I'm also trying to add this into my proxy configuration file, ss5.conf but
> it doesn't allow me to add this large number.
> 
> IS this the limitation of IPF or FreeBSD? How do I work around this?

Even though there are 65536 rule numbers, each number can actually have
any amount of rules assigned to it.  What you're probably looking for,
though, is ipfw's table keyword, which uses the same radix tree lookup
format as the kernel's routing tables, so it scales well to large
amounts of sparse addresses.  man ipfw, search for "lookup tables".

-- 
	Dan Nelson
	dnelson@allantgroup.com