From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 27 17:24:47 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6DF011065674 for ; Mon, 27 Oct 2008 17:24:47 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outU.internet-mail-service.net (outu.internet-mail-service.net [216.240.47.244]) by mx1.freebsd.org (Postfix) with ESMTP id 31AD18FC12 for ; Mon, 27 Oct 2008 17:24:47 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id D21CA24D7; Mon, 27 Oct 2008 10:12:47 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 77F102D6016; Mon, 27 Oct 2008 10:12:47 -0700 (PDT) Message-ID: <4905F68F.2030403@elischer.org> Date: Mon, 27 Oct 2008 10:12:47 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: ipfw@freebsd.org, David Wolfskill References: <20081027164452.GC69155@bunrab.catwhisker.org> In-Reply-To: <20081027164452.GC69155@bunrab.catwhisker.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Any plans or desire for "bulk addition" to tables? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2008 17:24:47 -0000 David Wolfskill wrote: > On my systems that are directly connected to network not known to be > relatively "safe," I use ipfw a fair bit. > > Of late, I've taken to augmenting the usual rules that are sensitive to > specific ports and the like with (early) rules that check certain ipfw > tables; they are used in the following way: > > * Traffic where an endpoint is found in table 1 is blocked. Period. > > * Traffic where the source address is in table 2 is not permitted to > initiate a 22/tcp connection. > > * Traffic where the source address is in table 3 is not permitted to > initiate a 80/tcp or a 443/tcp connection. > > Reasons for the above are somewhat off-topic for the list; I'll merely > comment that they have to do with perceived failure to respond to > observed attempts at abuse: I will protect my networks. > > In any case, I've cobbled up a moderately complex mechanism for > maintaining the tables in question, and table 1 (in particular) has > grown to be rather large: > > d254(8.0-C)[1] sudo ipfw table 1 list | wc -l > Password: > 11230 > d254(8.0-C)[2] ^1^2 > sudo ipfw table 2 list | wc -l > 1743 > d254(8.0-C)[3] ^2^3 > sudo ipfw table 3 list | wc -l > 50 > d254(8.0-C)[4] > > Unfortunately, the only way I've found to populate a given table is to > issue > > ipfw table ${table} add ${netblock} you can read in a file of entries i.e. ipfw -q filename where each line is of the form table N add IP VAL this increases the speed many times as you are not starting ipfw(1) for each entry. > > for each "netblock" in the table (assuming that I don't care about the > optional "value" parameter -- which I haven't found a use for). oh I have lots of use for that... > > Issuing something on the order of 13K "ipfw table ... add" commands > during the single- to multu-user transition tends to slow down the > effective boot time a bit -- especially when I'm booting up CURRENT on > my laptop (with WITNESS & INVARIANTS specified). I add many thousands using hte method described above and it trakse a second or so you can alternatively do: myscript|ipfw -q /dev/stdin where 'myscript' generates the values. > > Would some way to teach ipfw(8) how to perform some sort of "bulk add" > of a bunch of table entries in a single command invocation be of > interest to anyone else? > > Please include my address on responses, as I'm not subscribed to -ipfw@. > (I've tweaked Reply-To to provide an MUA hint.) > > Peace, > david