From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 6 12:18:06 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AF9616A4CE for ; Fri, 6 Feb 2004 12:18:06 -0800 (PST) Received: from franklin-belle.com (adsl-65-68-247-73.dsl.crchtx.swbell.net [65.68.247.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6978E43D62 for ; Fri, 6 Feb 2004 12:17:34 -0800 (PST) (envelope-from jacks@sage-american.com) Received: from sagea (sagea.sage-american [10.0.0.3]) by franklin-belle.com (8.12.8p2/8.12.8) with SMTP id i16KHV0k003636; Fri, 6 Feb 2004 14:17:32 -0600 (CST) (envelope-from jacks@sage-american.com) Message-Id: <3.0.5.32.20040206141728.01ea93b0@10.0.0.15> X-Sender: jacks@10.0.0.15 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 06 Feb 2004 14:17:28 -0600 To: "Vasenin Alexander aka BlackSir" , "Luigi Rizzo" , "Don Bowman" From: "Jack L. Stone" In-Reply-To: References: <3.0.5.32.20040206125411.01e841f0@10.0.0.15> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, hits=0.2 required=4.5 tests=AWL,TW_PF autolearn=ham version=2.63-sageame.rules_v3.1 X-Spam-Checker-Version: SpamAssassin 2.63-sageame.rules_v3.1 (2004-01-11) on franklin-belle.com cc: freebsd-ipfw@freebsd.org Subject: RE: Syntax to block 38 IPs X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 20:18:06 -0000 Thanks, folks for the suggestions. I was planning to do the #2 suggestion here, BUT, a pleasant surprise happened -- I just now received a message from an official who is contacting the ReadAlert team to (hopefully) resolve this issue on their server so the FW won't be necessary. I'll keep an eye on the logs. Now, I'd better begin a more complete study of IPFW2.... At 10:59 PM 2.6.2004 +0300, Vasenin Alexander aka BlackSir wrote: >To upgrade to IPFW2 you need to recompile the kernel with IPFW2 option, >recompile 'libalias' library and 'ipfw' control program. man ipfw would >help. I'm not sure, but I suppose IPFW2 don't marked STABLE for 4.x >With ipfw1 there are 2 ways to sovle your problem: >1. Just add 38 lines to your rule list and forget about it >2. ipfw deny ip from 209.102.202.0/24 > ipfw deny ip from 65.194.51.0/24 > >> -----Original Message----- >> From: owner-freebsd-ipfw@freebsd.org >> [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Jack L. Stone >> Sent: Friday, February 06, 2004 9:54 PM >> To: Luigi Rizzo; Don Bowman >> Cc: freebsd-ipfw@freebsd.org >> Subject: Re: Syntax to block 38 IPs >> >> >> TopPost: >> Thanks for the quick responses. >> >> So, I gather under IPFW(#1), it's either 38 lines or upgrade to IPFW2 >> >> I haven't had time to study IPFW2 too well, although I know how >> to upgrade. >> A follow-up question is that, if I do upgrade, will IPFW2 still use my old >> rules until I can get around to tuning/tweaking...?? >> >> At 10:13 AM 2.6.2004 -0800, Luigi Rizzo wrote: >> >On Fri, Feb 06, 2004 at 01:09:48PM -0500, Don Bowman wrote: >> >... >> >> deny ip from { 209.102.202.131, 209.102.202.132, ...} to any >> > >> >this is still inefficient. Better to use >> > >> > deny ip from 209.102.202.0/24{131,132,157,190,1,86} ... >> > >> >which uses a bitmap to represent the list of hosts and has constant >> >processing time as opposed to having to scan a list. >> > >> > cheers >> > luigi >> > >> >> this uses IPFW2 I think. >> >> >> >> from the shell, remember to escape the { as \{. >> >> >> >> you could also send a RST i suppose, but just dropping it is >> >> best. >> >> >> >> _______________________________________________ >> >> freebsd-ipfw@freebsd.org mailing list >> >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> > >> > >> >> Best regards, >> Jack L. Stone, >> Administrator >> >> Sage American >> http://www.sage-american.com >> jacks@sage-american.com >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> > > Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com jacks@sage-american.com