From owner-freebsd-questions@FreeBSD.ORG  Wed Oct 31 04:36:37 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1DDFF16A418
	for <freebsd-questions@freebsd.org>;
	Wed, 31 Oct 2007 04:36:37 +0000 (UTC)
	(envelope-from dan@dan.emsphone.com)
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by mx1.freebsd.org (Postfix) with ESMTP id DFA1013C465
	for <freebsd-questions@freebsd.org>;
	Wed, 31 Oct 2007 04:36:36 +0000 (UTC)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.14.1/8.14.1) id l9V4a4Yr027165;
	Tue, 30 Oct 2007 23:36:04 -0500 (CDT) (envelope-from dan)
Date: Tue, 30 Oct 2007 23:36:04 -0500
From: Dan Nelson <dnelson@allantgroup.com>
To: "eBoundHost: Artur" <artur@eboundhost.com>
Message-ID: <20071031043604.GA3109@dan.emsphone.com>
References: <002001c81b37$7dc605e0$6b00a8c0@mobility>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <002001c81b37$7dc605e0$6b00a8c0@mobility>
X-OS: FreeBSD 7.0-BETA1
User-Agent: Mutt/1.5.16 (2007-06-09)
Cc: freebsd-questions@freebsd.org
Subject: Re: how many IPFW rules?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2007 04:36:37 -0000

In the last episode (Oct 30), eBoundHost: Artur said:
> Hello FreeBSD people!
> 
> I have a smtp server under attack by what seems like a large botnet.  My 
> inetd is choking under the load and not allowing real mail through.  I've 
> successfully used tshark to find the offenders and put them into ipfw 
> firewall for port 25.
>
> So here is my question, I'm currently blocking 55,529 ip addresses and the 
> server seems pretty snappy, with no noticible load or lag.  How many more 
> rulesets will I be able to handle before things start getting fuzzy?

If you've created 55K separate rules and you're not seeing any
slowdown, then you must have a fast machine :)  Using an ipfw table
should be even better, though.  That lets you load any number of
ip/netmask pairs into a tree-based lookup table and match all addresses
using one ipfw rule.  The ipfw manpage has examples.

-- 
	Dan Nelson
	dnelson@allantgroup.com