Date: Tue, 20 Jun 2006 14:56:12 -0600 From: Brett Glass <brett@lariat.org> To: net@freebsd.org Subject: Best way to block a long list of IPs? Message-ID: <7.0.1.0.2.20060620143845.06662330@lariat.org>
next in thread | raw e-mail | index | archive | help
Everyone: I've got an application in which I must block incoming TCP connections to a FreeBSD server from a potentially large list of IP addresses. Using IPFW is not a very efficient way to accomplish this, because it must do a linear search of a list (either one address per rule or an "or" list in a rule) and this could slow down every packet entering the machine dramatically. Could entering blackhole routes into the routing table possibly be more efficient? (It would allow SYNs to come in, but with SYN cookies enabled there'd be almost no overhead and the SYN-ACK would never make it back to the center.) Is there any other mechanism I should be looking at (e.g. a custom "divert" filter for SYNs)? --Brett Glass
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7.0.1.0.2.20060620143845.06662330>