Date: Wed, 14 Jan 2009 11:44:53 -0500 From: Steve Bertrand <steve@ibctech.ca> To: Artem Kuchin <matrix@itlegion.ru> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: Blocking very many (tens of thousands) ip addresses in ipfw Message-ID: <496E1685.8090605@ibctech.ca> In-Reply-To: <496E117D.8030306@itlegion.ru> References: <496E117D.8030306@itlegion.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Artem Kuchin wrote: > I need to block around 150000 ip addreses from acccess the server at all > at any port. The addesses are random, they are not nets. > These are the spammer i want to block for 24 hours. > The list is dynamically generated and regenerated every hour or so. > What is the most efficient way to do it? > At first i thought doing ipfw rules using 5 ips per rule, that would > result in 30000 rules! This will be too slow! > I need to something really quick and smart. Like matching the first > number from ip (195 from 192.1.2.3), > if it does not match - skip, if it does - compare the next one > and so on. Use tables. They are efficient, and easy to manipulate. # ipfw table 1 add xx.xx.xx.xx/xx # ipfw deny all from "table(1)" to any It would be best if you allowed only legitimate IP addresses to pass traffic in/out of your network, and then deny all else, but the way your message reads, this is SMTP traffic inbound, so 'allow some, deny the rest' doesn't work too well here. Steve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?496E1685.8090605>