Date: Sat, 23 Nov 2019 15:04:14 -0600 From: Tim Daneliuk <tundra@tundraware.com> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Optimizing ipfw? Message-ID: <55e36a4a-c594-e70c-28ac-ab7312591955@tundraware.com> In-Reply-To: <CAHu1Y726%2BWLu9E=504QjiV2mfhYnSeRZwEU8wFvrF88ziATdSA@mail.gmail.com> References: <ac88a9fd-b3e4-a7f2-6f05-bf00df8f9626@tundraware.com> <CAHu1Y726%2BWLu9E=504QjiV2mfhYnSeRZwEU8wFvrF88ziATdSA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/23/19 11:46 AM, Michael Sierchio wrote: > Don't use specific rules per CIDR block, use tables. You can efficiently > handle hundreds of thousands of CIDR blocks and IPv6 prefixes in a single > table, or multiple tables. You can assign the argument based on country > code or some such. You can add and delete CIDR blocks, and even swap tables > so you can do it atomically. Aha! Thanks. So, I added this to my firewall startup code: ### # Block Naughty IP Addresses/Spaces ### # Use ipfw tables for efficiency for addr in `cat ${NAUGHTYFILE}` do ${FWCMD} table 10 add ${addr} done ${FWCMD} add deny all from table\(10\) to any via ${OIF} ipfw show does show that new table being referenced and the table shows the IPs and CIDR blocks I want stopped, but I have no affirmative proof this is working yet. It does, however, no longer clobber network performance as you noted. So ... thanks again! P.S. Is there a way to get ipfw to dump everything it is blocking including the stuff in the table?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55e36a4a-c594-e70c-28ac-ab7312591955>