From owner-freebsd-questions@FreeBSD.ORG Mon Aug 27 06:37:48 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8038316A421 for ; Mon, 27 Aug 2007 06:37:48 +0000 (UTC) (envelope-from amin.scg@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.181]) by mx1.freebsd.org (Postfix) with ESMTP id 4253413C442 for ; Mon, 27 Aug 2007 06:37:48 +0000 (UTC) (envelope-from amin.scg@gmail.com) Received: by wa-out-1112.google.com with SMTP id m33so1835213wag for ; Sun, 26 Aug 2007 23:37:47 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:reply-to:from:to:cc:subject:date:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:in-reply-to:x-mimeole:message-id; b=dRge+/Z+obDtfaRGa6egrsMasgGFjPcOPIPWutDFMe2k5v36lEpzwZrGwgFNNw4kw/vqOkb2biMrUccV5Dn4bLhX62sYRcPNOJfX6BBVDEobZ5vp3VpOT4+PmS4KyHv5lKVKFWm3Fbo17NOGPGxHKr8jAeXV3n9vNHvV5RAHrDw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:reply-to:from:to:cc:subject:date:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:in-reply-to:x-mimeole:message-id; b=SIdBZ7Rsjck7G80EbObcTyPaPvmpLcR36cOSIowPnJZyzRAF0Mw/7sssfyoHv6tsErAgrC4n6bNnfqwGL/VTtVFtcyBd0bN/KugKlAJ+ZIbx6phAhRyid4tKOQiY0LubaTB4bOb9QkMzZxXsSaA1cvoBQOIOAl2Jv5EkLdTO4SI= Received: by 10.115.108.1 with SMTP id k1mr2495799wam.1188196667169; Sun, 26 Aug 2007 23:37:47 -0700 (PDT) Received: from dtraaa ( [219.95.177.171]) by mx.google.com with ESMTPS id j7sm8716113wah.2007.08.26.23.37.41 (version=SSLv3 cipher=RC4-MD5); Sun, 26 Aug 2007 23:37:44 -0700 (PDT) From: "Aminuddin" To: "'Dan Nelson'" Date: Mon, 27 Aug 2007 14:37:34 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: AcfnqGNPT4Xyn0kaRYuBlobSzh81pQAy9DMg In-Reply-To: <20070826061435.GD25055@dan.emsphone.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 Message-ID: <46d27138.07ec720a.0343.ffffbba7@mx.google.com> Cc: freebsd-questions@freebsd.org Subject: RE: How to block 200K ip addresses? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: amin.scg@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Aug 2007 06:37:48 -0000 Will give this a try. Since my server is a remote server that I can accessed only by ssh, what are other rules do I need to add in? I don't want to have a situation where I will lock myself out. Is it correct to say that the rules that I put in will only block those in the rules and allow all that are not in the rules? Thanks -----Original Message----- From: Dan Nelson [mailto:dnelson@allantgroup.com] Sent: Sunday, August 26, 2007 2:15 PM To: Aminuddin Cc: freebsd-questions@freebsd.org Subject: Re: How to block 200K ip addresses? In the last episode (Aug 26), Aminuddin said: > From: Dan Nelson [mailto:dnelson@allantgroup.com] > > In the last episode (Aug 26), Aminuddin said: > > > From: Dan Nelson > > > > In the last episode (Aug 26), Aminuddin said: > > > > > How do you block this large range of ip addresses from > > > > > different subnet? IPFW only allows 65536 rules while this > > > > > will probably use up a few hundred thousands of lines. > > > > > > > > > > I'm also trying to add this into my proxy configuration file, > > > > > ss5.conf but it doesn't allow me to add this large number. > > > > > > > > > > IS this the limitation of IPF or FreeBSD? How do I work > > > > > around this? > > > > > > > > Even though there are 65536 rule numbers, each number can > > > > actually have any amount of rules assigned to it. What you're > > > > probably looking for, though, is ipfw's table keyword, which > > > > uses the same radix tree lookup format as the kernel's routing > > > > tables, so it scales well to large amounts of sparse addresses. > > > > man ipfw, search for "lookup tables". > > > > > > I intend to create a ruleset file consisting of this statement: > > > > > > Ruleset------------------------ > > > > > > add 2300 skipto 2301 ip from 0.0.0.0/6 to any > > > add 2400 skipto 2401 ip from any to 0.0.0.0/6 > > > add 2300 skipto 2302 ip from 4.0.0.0/6 to any > > > add 2400 skipto 2402 ip from any to 4.0.0.0/6 > > [...] > > > add 2300 skipto 2363 ip from 248.0.0.0/6 to any > > > add 2400 skipto 2463 ip from any to 248.0.0.0/6 > > > add 2300 skipto 2364 ip from 252.0.0.0/6 to any > > > add 2400 skipto 2464 ip from any to 252.0.0.0/6 > > > > > > add 2301 deny ip from 3.0.0.0/8 to any > > > add 2401 reject ip from any to 3.0.0.0/8 > > > add 2302 deny ip from 4.0.25.146/31 to any > > > add 2402 reject ip from any to 4.0.25.146/31 > > [...] > > > add 2302 deny ip from 4.18.37.16/28 to any > > > add 2402 reject ip from any to 4.18.37.16/28 > > > add 2302 deny ip from 4.18.37.128/25 to any > > > add 2402 reject ip from any to 4.18.37.128/25 > > > ------------------------------------end ruleset > > > > > > Will the above rules block me from ssh into my remote server if > > > the ip addresses of my local pc (dynamic ip) not within any of > > > the above rules ip range as well as block my snmpd services? > > > > Yes; it's a little convoluted but should work. You want to drop > > incoming packets from the listed IP ranges, and return a "host > > unreachable" to internal machines sending outgoing packets to the > > listed IP ranges? Wouldn't it be easier to use ipfw's table > > feature and have something like this: > > > > add table 1 3.0.0.0/8 > > add table 1 4.0.25.146/31 > > add table 1 4.0.25.148/32 > > [...] > > add table 1 4.18.37.16/28 > > add table 1 4.18.37.128/25 > > add 2300 deny ip from table 1 to any > > add 2400 reject ip from any to table 1 > > > > That way you only have two ipfw rules, both of which use a single > > table lookup. > > My complete list has about 300K of lines. It takes about a few hours > just to load the rules. Will it be faster to load using the table? I did a quick test myself by fetching the safepeer ip list and adding it via rules and tables. This was a quick hack, so I'm just adding the first IP in each line, not the whole netblock (I didn't want to write a range->netmask converter). On my heavily-loaded box (currently doing a buildworld and some mrtg sweeps), I'm only able to insert about 60 ipfw "deny ip from 4.0.25.146 to any"-format rules per second. By contrast: (root@dan) /tmp># head -3 splist1.table table 1 add 0.0.0.0 table 1 add 4.0.25.146 table 1 add 4.0.26.14 (root@dan) /tmp># wc -l splist1.table 191637 splist1.table (root@dan) /tmp># time ipfw /tmp/splist1.table ipfw /tmp/splist1.table: U:3.30s S:1.75s E:6.74s CPU:75% Faults:0/95 I/O:0/0 Swaps:0 (root@dan) /tmp># ipfw table 1 list | wc -l 191637 Under 7 seconds to load all 191k entries :) -- Dan Nelson dnelson@allantgroup.com