From owner-freebsd-questions@FreeBSD.ORG Wed Oct 31 07:49:02 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B159016A474 for ; Wed, 31 Oct 2007 07:49:02 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: from smtp.teledomenet.gr (smtp.teledomenet.gr [213.142.128.2]) by mx1.freebsd.org (Postfix) with ESMTP id 6C6D013C4BB for ; Wed, 31 Oct 2007 07:49:02 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: by smtp.teledomenet.gr (Postfix, from userid 58) id E5B0B14225A; Wed, 31 Oct 2007 09:48:26 +0200 (EET) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on smtp.teledomenet.gr X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.2.3 Received: from iris (unknown [192.168.1.71]) by smtp.teledomenet.gr (Postfix) with ESMTP id 4759A1421FC; Wed, 31 Oct 2007 09:48:24 +0200 (EET) From: Nikos Vassiliadis To: freebsd-questions@freebsd.org Date: Wed, 31 Oct 2007 09:50:36 +0200 User-Agent: KMail/1.9.7 References: <002001c81b37$7dc605e0$6b00a8c0@mobility> In-Reply-To: <002001c81b37$7dc605e0$6b00a8c0@mobility> X-NCC-RegID: gr.telehouse MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200710310950.37646.nvass@teledomenet.gr> Cc: "eBoundHost: Artur" Subject: Re: how many IPFW rules? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Oct 2007 07:49:02 -0000 On Tuesday 30 October 2007 22:57:31 eBoundHost: Artur wrote: > Hello FreeBSD people! > > I have a smtp server under attack by what seems like a large botnet. My > inetd is choking under the load and not allowing real mail through. > I've successfully used tshark to find the offenders and put them into > ipfw firewall for port 25. > > So here is my question, I'm currently blocking 55,529 ip addresses and > the server seems pretty snappy, with no noticible load or lag. How many > more rulesets will I be able to handle before things start getting > fuzzy? Do you use 55,529 rules? well, if you do, stop doing it :) There is a solution designed for large sets of addresses, so you better use it. Search the ipfw manual page for "lookup table". Apparently, there is no problem doing it the way you do it for your load, but tables are designed for such situations and should be more appopriate and lightweight. Nikos