Date: Fri, 06 Feb 2004 14:17:28 -0600 From: "Jack L. Stone" <jacks@sage-american.com> To: "Vasenin Alexander aka BlackSir" <blacksir@number.ru>, "Luigi Rizzo" <rizzo@icir.org>, "Don Bowman" <don@sandvine.com> Cc: freebsd-ipfw@freebsd.org Subject: RE: Syntax to block 38 IPs Message-ID: <3.0.5.32.20040206141728.01ea93b0@10.0.0.15> In-Reply-To: <NKEJKOHEKMBIMCCEHEPKOEJJCCAA.blacksir@number.ru> References: <3.0.5.32.20040206125411.01e841f0@10.0.0.15>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks, folks for the suggestions. I was planning to do the #2 suggestion
here, BUT, a pleasant surprise happened -- I just now received a message
from an official who is contacting the ReadAlert team to (hopefully)
resolve this issue on their server so the FW won't be necessary. I'll keep
an eye on the logs.
Now, I'd better begin a more complete study of IPFW2....
At 10:59 PM 2.6.2004 +0300, Vasenin Alexander aka BlackSir wrote:
>To upgrade to IPFW2 you need to recompile the kernel with IPFW2 option,
>recompile 'libalias' library and 'ipfw' control program. man ipfw would
>help. I'm not sure, but I suppose IPFW2 don't marked STABLE for 4.x
>With ipfw1 there are 2 ways to sovle your problem:
>1. Just add 38 lines to your rule list and forget about it
>2. ipfw deny ip from 209.102.202.0/24
> ipfw deny ip from 65.194.51.0/24
>
>> -----Original Message-----
>> From: owner-freebsd-ipfw@freebsd.org
>> [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Jack L. Stone
>> Sent: Friday, February 06, 2004 9:54 PM
>> To: Luigi Rizzo; Don Bowman
>> Cc: freebsd-ipfw@freebsd.org
>> Subject: Re: Syntax to block 38 IPs
>>
>>
>> TopPost:
>> Thanks for the quick responses.
>>
>> So, I gather under IPFW(#1), it's either 38 lines or upgrade to IPFW2
>>
>> I haven't had time to study IPFW2 too well, although I know how
>> to upgrade.
>> A follow-up question is that, if I do upgrade, will IPFW2 still use my old
>> rules until I can get around to tuning/tweaking...??
>>
>> At 10:13 AM 2.6.2004 -0800, Luigi Rizzo wrote:
>> >On Fri, Feb 06, 2004 at 01:09:48PM -0500, Don Bowman wrote:
>> >...
>> >> deny ip from { 209.102.202.131, 209.102.202.132, ...} to any
>> >
>> >this is still inefficient. Better to use
>> >
>> > deny ip from 209.102.202.0/24{131,132,157,190,1,86} ...
>> >
>> >which uses a bitmap to represent the list of hosts and has constant
>> >processing time as opposed to having to scan a list.
>> >
>> > cheers
>> > luigi
>> >
>> >> this uses IPFW2 I think.
>> >>
>> >> from the shell, remember to escape the { as \{.
>> >>
>> >> you could also send a RST i suppose, but just dropping it is
>> >> best.
>> >>
>> >> _______________________________________________
>> >> freebsd-ipfw@freebsd.org mailing list
>> >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>> >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>> >
>> >
>>
>> Best regards,
>> Jack L. Stone,
>> Administrator
>>
>> Sage American
>> http://www.sage-american.com
>> jacks@sage-american.com
>> _______________________________________________
>> freebsd-ipfw@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>>
>
>
Best regards,
Jack L. Stone,
Administrator
Sage American
http://www.sage-american.com
jacks@sage-american.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20040206141728.01ea93b0>