Date: Mon, 27 Oct 2008 09:44:52 -0700 From: David Wolfskill <david@catwhisker.org> To: ipfw@freebsd.org Subject: Any plans or desire for "bulk addition" to tables? Message-ID: <20081027164452.GC69155@bunrab.catwhisker.org>
next in thread | raw e-mail | index | archive | help
--OBd5C1Lgu00Gd/Tn
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On my systems that are directly connected to network not known to be
relatively "safe," I use ipfw a fair bit.
Of late, I've taken to augmenting the usual rules that are sensitive to
specific ports and the like with (early) rules that check certain ipfw
tables; they are used in the following way:
* Traffic where an endpoint is found in table 1 is blocked. Period.
* Traffic where the source address is in table 2 is not permitted to
initiate a 22/tcp connection.
* Traffic where the source address is in table 3 is not permitted to
initiate a 80/tcp or a 443/tcp connection.
Reasons for the above are somewhat off-topic for the list; I'll merely
comment that they have to do with perceived failure to respond to
observed attempts at abuse: I will protect my networks.
In any case, I've cobbled up a moderately complex mechanism for
maintaining the tables in question, and table 1 (in particular) has
grown to be rather large:
d254(8.0-C)[1] sudo ipfw table 1 list | wc -l
Password:
11230
d254(8.0-C)[2] ^1^2
sudo ipfw table 2 list | wc -l
1743
d254(8.0-C)[3] ^2^3
sudo ipfw table 3 list | wc -l
50
d254(8.0-C)[4]=20
Unfortunately, the only way I've found to populate a given table is to
issue
ipfw table ${table} add ${netblock}
for each "netblock" in the table (assuming that I don't care about the
optional "value" parameter -- which I haven't found a use for).
Issuing something on the order of 13K "ipfw table ... add" commands
during the single- to multu-user transition tends to slow down the
effective boot time a bit -- especially when I'm booting up CURRENT on
my laptop (with WITNESS & INVARIANTS specified).
Would some way to teach ipfw(8) how to perform some sort of "bulk add"
of a bunch of table entries in a single command invocation be of
interest to anyone else?
Please include my address on responses, as I'm not subscribed to -ipfw@.
(I've tweaked Reply-To to provide an MUA hint.)
Peace,
david
--=20
David H. Wolfskill david@catwhisker.org
Depriving a girl or boy of an opportunity for education is evil.
See http://www.catwhisker.org/~david/publickey.gpg for my public key.
--OBd5C1Lgu00Gd/Tn
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
iEYEARECAAYFAkkF8AMACgkQmprOCmdXAD3EdQCfVOKc20O4pTony9doLxXKi7qa
bmIAn0LyJammelJvnHS8YVe1uvZq+viE
=Y9RW
-----END PGP SIGNATURE-----
--OBd5C1Lgu00Gd/Tn--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081027164452.GC69155>