From owner-freebsd-questions@FreeBSD.ORG  Tue May 24 09:11:42 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0AC5116A41C
	for <freebsd-questions@freebsd.org>;
	Tue, 24 May 2005 09:11:42 +0000 (GMT)
	(envelope-from xfb52@dial.pipex.com)
Received: from smtp-out2.blueyonder.co.uk (smtp-out2.blueyonder.co.uk
	[195.188.213.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 64A5943D54
	for <freebsd-questions@freebsd.org>;
	Tue, 24 May 2005 09:11:40 +0000 (GMT)
	(envelope-from xfb52@dial.pipex.com)
Received: from [82.41.37.55] ([82.41.37.55]) by smtp-out2.blueyonder.co.uk
	with Microsoft SMTPSVC(5.0.2195.6713); 
	Tue, 24 May 2005 10:12:19 +0100
Message-ID: <4292EFCB.4030209@dial.pipex.com>
Date: Tue, 24 May 2005 10:11:39 +0100
From: Alex Zbyslaw <xfb52@dial.pipex.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-GB; rv:1.7.7) Gecko/20050510
X-Accept-Language: en, en-us, pl
MIME-Version: 1.0
To: Francisco Reyes <lists@natserv.com>
References: <f2160e0d05052205454e6071d5@mail.gmail.com>	<1368.24.99.220.144.1116792799.squirrel@24.99.220.144>	<4290EEB4.9070502@makeworld.com>	<20050522202535.K29197@zoraida.natserv.net>	<20050523095117.D47072@mail.goinet.com>
	<20050523214917.Q46920@zoraida.natserv.net>
In-Reply-To: <20050523214917.Q46920@zoraida.natserv.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 24 May 2005 09:12:19.0227 (UTC)
	FILETIME=[AFB97EB0:01C56040]
Cc: freebsd-questions@freebsd.org
Subject: Re: securing SSH, FBSD systems
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2005 09:11:42 -0000

Francisco Reyes wrote:

> I found it got too messy to read firewall rules when I had blackholing 
> there too. Also the feedback I got was that firewall rule was a flat 
> list, while the route system used some type of tree.

This is true if you use one rule per blocked address, but not true, I 
believe if you use ipfw (version 2) tables (see man ipfw).  I believe pf 
also has a similar feature.  Large lists of IP addresses is what they 
were designed for :-)

 From man ipfw

LOOKUP TABLES
     Lookup tables are useful to handle large sparse address sets, typically
     from a hundred to several thousands of entries.  There could be 128 
dif-
     ferent lookup tables, numbered 0 to 127.


--Alex