Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 14 Sep 2006 15:46:12 +0200
From:      Phil Regnauld <regnauld@catpipe.net>
To:        Willem Jan Withagen <wjw@digiware.nl>
Cc:        freebsd-net@freebsd.org
Subject:   Re: blocking a string in a packet using ipfw
Message-ID:  <20060914134611.GW76403@catpipe.net>
In-Reply-To: <4509592A.3040602@digiware.nl>
References:  <4509592A.3040602@digiware.nl>

next in thread | previous in thread | raw e-mail | index | archive | help
Willem Jan Withagen (wjw) writes:
> 
> Now I'm pretty shure that ipfw does not stretch indefinitely to contain
> perhaps something like 100.000 ip-numbers (would be a nice test. :) )

	Actually, it should.

> So I'd
> like to see if there is something to do with divert and some matching on a
> string in the packet to drop those packets.

	That will be quite expensive.  Ideally ipfw/pf should allow for inspecting
	the contents of a packet (offset,value,[offset,value]) without leaving
	kernel space.

> That would prevent me from having humongous set of rules in ipfw.
> 
> Or any other suggestion that would make sense.

	Using pf with a table, and in ipfw as well, you can handle very large
	lists of IP addresses.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060914134611.GW76403>