Date: Sat, 23 Nov 2019 15:04:14 -0600 From: Tim Daneliuk <tundra@tundraware.com> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Optimizing ipfw? Message-ID: <55e36a4a-c594-e70c-28ac-ab7312591955@tundraware.com> In-Reply-To: <CAHu1Y726%2BWLu9E=504QjiV2mfhYnSeRZwEU8wFvrF88ziATdSA@mail.gmail.com> References: <ac88a9fd-b3e4-a7f2-6f05-bf00df8f9626@tundraware.com> <CAHu1Y726%2BWLu9E=504QjiV2mfhYnSeRZwEU8wFvrF88ziATdSA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/23/19 11:46 AM, Michael Sierchio wrote:
> Don't use specific rules per CIDR block, use tables. You can efficiently
> handle hundreds of thousands of CIDR blocks and IPv6 prefixes in a single
> table, or multiple tables. You can assign the argument based on country
> code or some such. You can add and delete CIDR blocks, and even swap tables
> so you can do it atomically.
Aha! Thanks. So, I added this to my firewall startup code:
###
# Block Naughty IP Addresses/Spaces
###
# Use ipfw tables for efficiency
for addr in `cat ${NAUGHTYFILE}`
do
${FWCMD} table 10 add ${addr}
done
${FWCMD} add deny all from table\(10\) to any via ${OIF}
ipfw show does show that new table being referenced and the table shows the IPs and CIDR blocks
I want stopped, but I have no affirmative proof this is working yet.
It does, however, no longer clobber network performance as you noted. So ... thanks again!
P.S. Is there a way to get ipfw to dump everything it is blocking including the stuff in the table?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55e36a4a-c594-e70c-28ac-ab7312591955>