From owner-freebsd-net@FreeBSD.ORG  Tue Jun 20 20:56:25 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: net@freebsd.org
Delivered-To: freebsd-net@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D267416A570
	for <net@freebsd.org>; Tue, 20 Jun 2006 20:56:25 +0000 (UTC)
	(envelope-from brett@lariat.org)
Received: from lariat.net (lariat.net [65.122.236.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0B00543D6E
	for <net@freebsd.org>; Tue, 20 Jun 2006 20:56:24 +0000 (GMT)
	(envelope-from brett@lariat.org)
Received: from Anne (IDENT:ppp1000.lariat.net@lariat.net [65.122.236.2])
	by lariat.net (8.9.3/8.9.3) with ESMTP id OAA14381
	for <net@freebsd.org>; Tue, 20 Jun 2006 14:56:21 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook renders your system
	susceptible to Internet worms.
Message-Id: <7.0.1.0.2.20060620143845.06662330@lariat.org>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0
Date: Tue, 20 Jun 2006 14:56:12 -0600
To: net@freebsd.org
From: Brett Glass <brett@lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Cc: 
Subject: Best way to block a long list of IPs?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jun 2006 20:56:26 -0000

Everyone:

I've got an application in which I must block incoming TCP 
connections to a FreeBSD server from a potentially large list of IP 
addresses. Using IPFW is not a very efficient way to accomplish 
this, because it must do a linear search of a list (either one 
address per rule or an "or" list in a rule) and this could slow 
down every packet entering the machine dramatically.

Could entering blackhole routes into the routing table possibly be 
more efficient? (It would allow SYNs to come in, but with SYN 
cookies enabled there'd be almost no overhead and the SYN-ACK would 
never make it back to the center.) Is there any other mechanism I 
should be looking at (e.g. a custom "divert" filter for SYNs)?

--Brett Glass