From owner-freebsd-net@FreeBSD.ORG  Wed Jun 21 11:32:26 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: net@freebsd.org
Delivered-To: freebsd-net@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0B93916A482
	for <net@freebsd.org>; Wed, 21 Jun 2006 11:32:26 +0000 (UTC)
	(envelope-from dmitry@atlantis.dp.ua)
Received: from postman.atlantis.dp.ua (postman.atlantis.dp.ua [193.108.47.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EFF8E43D60
	for <net@freebsd.org>; Wed, 21 Jun 2006 11:31:34 +0000 (GMT)
	(envelope-from dmitry@atlantis.dp.ua)
Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231])
	by postman.atlantis.dp.ua (8.13.1/8.13.1) with ESMTP id k5LBV1Yb016651; 
	Wed, 21 Jun 2006 14:31:01 +0300 (EEST)
	(envelope-from dmitry@atlantis.dp.ua)
Date: Wed, 21 Jun 2006 14:31:01 +0300 (EEST)
From: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua>
To: Luigi Rizzo <rizzo@icir.org>
In-Reply-To: <20060620143640.B1416@xorpc.icir.org>
Message-ID: <20060621141816.T41119@atlantis.atlantis.dp.ua>
References: <7.0.1.0.2.20060620143845.06662330@lariat.org>
	<20060620205730.GC3968@catpipe.net>
	<20060620140722.A1192@xorpc.icir.org>
	<7.0.1.0.2.20060620151013.042be3f8@lariat.org>
	<7.0.1.0.2.20060620152540.06cc64e8@lariat.org>
	<20060620143640.B1416@xorpc.icir.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: Brett Glass <brett@lariat.org>, net@freebsd.org
Subject: Re: Best way to block a long list of IPs?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jun 2006 11:32:26 -0000


Hello!

On Tue, 20 Jun 2006, Luigi Rizzo wrote:
> On Tue, Jun 20, 2006 at 03:26:25PM -0600, Brett Glass wrote:
>> Oh, by the way: I should mention that the server is running FreeBSD
>> 4.11. It's doing file-intensive work, and file system performance
>> in FreeBSD 6.x is noticeably slower.
>
> ipfw tables are also in 4.11

   Just don't forget to switch your system to ipfw2 (RELENG_4 uses ipfw1 by 
default). Switching is described in "USING IPFW2 IN FreeBSD-STABLE" section of 
ipfw(8). Manpage suggests recompiling /sbin/ipfw and /usr/lib/libalias along 
with the kernel, but /sbin/natd is statically linked against libalias in 
RELENG_4, so it also must be recompiled. Don't forget that you can't mix 
kernel compiled with "options IPFW2" and ipfw1-based binaries (compiled w/o 
IPFW2 defined) and vice versa (ipfw1-based kernel with ipfw2-based userland), 
so follow a standard upgrade path to be safe:

1) build (don't install) new binaries,
2) build and install new kernel,
3) reboot to single-user mode,
4) install new binaries,
5) reboot.


Sincerely, Dmitry
-- 
Atlantis ISP, System Administrator
e-mail:  dmitry@atlantis.dp.ua
nic-hdl: LYNX-RIPE