Date: Tue, 24 May 2005 10:11:39 +0100 From: Alex Zbyslaw <xfb52@dial.pipex.com> To: Francisco Reyes <lists@natserv.com> Cc: freebsd-questions@freebsd.org Subject: Re: securing SSH, FBSD systems Message-ID: <4292EFCB.4030209@dial.pipex.com> In-Reply-To: <20050523214917.Q46920@zoraida.natserv.net> References: <f2160e0d05052205454e6071d5@mail.gmail.com> <1368.24.99.220.144.1116792799.squirrel@24.99.220.144> <4290EEB4.9070502@makeworld.com> <20050522202535.K29197@zoraida.natserv.net> <20050523095117.D47072@mail.goinet.com> <20050523214917.Q46920@zoraida.natserv.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Francisco Reyes wrote:
> I found it got too messy to read firewall rules when I had blackholing
> there too. Also the feedback I got was that firewall rule was a flat
> list, while the route system used some type of tree.
This is true if you use one rule per blocked address, but not true, I
believe if you use ipfw (version 2) tables (see man ipfw). I believe pf
also has a similar feature. Large lists of IP addresses is what they
were designed for :-)
From man ipfw
LOOKUP TABLES
Lookup tables are useful to handle large sparse address sets, typically
from a hundred to several thousands of entries. There could be 128
dif-
ferent lookup tables, numbered 0 to 127.
--Alex
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4292EFCB.4030209>