From owner-freebsd-net@FreeBSD.ORG Fri Sep 15 12:44:48 2006 Return-Path: X-Original-To: freebsd-net@FreeBSD.ORG Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E2BE16A403 for ; Fri, 15 Sep 2006 12:44:48 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCEBD43D66 for ; Fri, 15 Sep 2006 12:44:39 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (pahevu@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k8FCiVkK016727 for ; Fri, 15 Sep 2006 14:44:37 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k8FCiVqV016726; Fri, 15 Sep 2006 14:44:31 +0200 (CEST) (envelope-from olli) Date: Fri, 15 Sep 2006 14:44:31 +0200 (CEST) Message-Id: <200609151244.k8FCiVqV016726@lurza.secnetix.de> From: Oliver Fromme To: freebsd-net@FreeBSD.ORG In-Reply-To: <450A9421.6010400@withagen.nl> X-Newsgroups: list.freebsd-net User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Fri, 15 Sep 2006 14:44:37 +0200 (CEST) Cc: Subject: Re: blocking a string in a packet using ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-net@FreeBSD.ORG List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Sep 2006 12:44:48 -0000 Willem Jan Withagen wrote: > Julian Elischer wrote: > > > Forgot to mention: 4.7-PRERELEASE :( > > > > ugh... no tables > > and 45000 lines will be bad. Not necessarily ... > Over that time I collected over 50.000 IP's which all ended up > in IPFW. :) The box (PIII, 750 Mhz, 512Mb) started using a lot > of system and interrupt time, but it survived it all. I once wrote a small tool that took a bunch of IP addresses on stdin and converted it into IPFW "skipto" rules forming a binary tree. So, in the worst case, only 32 rules had to be checked for each packet, instead of 50,000. Of course, with IPFW2's table feature, that tool of mine became obsolete. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "I have stopped reading Stephen King novels. Now I just read C code instead." -- Richard A. O'Keefe