Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 23 Nov 2019 15:04:14 -0600
From:      Tim Daneliuk <tundra@tundraware.com>
To:        FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: Optimizing ipfw?
Message-ID:  <55e36a4a-c594-e70c-28ac-ab7312591955@tundraware.com>
In-Reply-To: <CAHu1Y726%2BWLu9E=504QjiV2mfhYnSeRZwEU8wFvrF88ziATdSA@mail.gmail.com>
References:  <ac88a9fd-b3e4-a7f2-6f05-bf00df8f9626@tundraware.com> <CAHu1Y726%2BWLu9E=504QjiV2mfhYnSeRZwEU8wFvrF88ziATdSA@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 11/23/19 11:46 AM, Michael Sierchio wrote:
> Don't use specific rules per CIDR block, use tables.  You can efficiently
> handle hundreds of thousands of CIDR blocks and IPv6 prefixes in a single
> table, or multiple tables.  You can assign the argument based on country
> code or some such. You can add and delete CIDR blocks, and even swap tables
> so you can do it atomically.

Aha!  Thanks.  So, I added this to my firewall startup code:

  ###
  # Block Naughty IP Addresses/Spaces
  ###

  # Use ipfw tables for efficiency

  for addr in `cat ${NAUGHTYFILE}`
  do
    ${FWCMD} table 10 add ${addr}
  done

  ${FWCMD} add deny all from table\(10\) to any via ${OIF}


ipfw show does show that new table being referenced and the table shows the IPs and CIDR blocks
I want stopped, but I have no affirmative proof this is working yet.

It does, however, no longer clobber network performance as you noted.  So ... thanks again!

P.S. Is there a way to get ipfw to dump everything it is blocking including the stuff in the table?




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55e36a4a-c594-e70c-28ac-ab7312591955>