From owner-freebsd-ipfw Wed Mar 27 0:16:24 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 2094D37B416 for ; Wed, 27 Mar 2002 00:16:17 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020327081613.ULIS2951.rwcrmhc53.attbi.com@blossom.cjclark.org>; Wed, 27 Mar 2002 08:16:13 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2R8GCc92384; Wed, 27 Mar 2002 00:16:12 -0800 (PST) (envelope-from cjc) Date: Wed, 27 Mar 2002 00:16:12 -0800 From: "Crist J. Clark" To: Tony Saign Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Rule to ignore/drop traffic from entire subnet?? Message-ID: <20020327001612.N89885@blossom.cjclark.org> References: <000401c1d540$3adf71f0$1401a8c0@frankenmobl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000401c1d540$3adf71f0$1401a8c0@frankenmobl>; from tony@saign.com on Tue, Mar 26, 2002 at 07:33:58PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Mar 26, 2002 at 07:33:58PM -0800, Tony Saign wrote: > I have noticed certain IP address blocks (mostly from overseas), > generating large logs on my router system. > > Is it possible to just drop/ignore and log all traffic originating from > these > subnets without affecting system performance with a rule or rules? Sure, but... > Mar 24 00:19:55 /kernel: ipfw: 3000 Deny ICMP:8.0 216.52.65.72 in > via fxp0 > Mar 24 00:19:58 /kernel: ipfw: 3000 Deny ICMP:8.0 216.52.65.72 in > via fxp0 > Mar 24 00:21:18 /kernel: ipfw: 3000 Deny ICMP:8.0 216.52.65.70 in > via fxp0 > Mar 24 00:21:21 /kernel: ipfw: 3000 Deny ICMP:8.0 216.52.65.70 in > via fxp0 > Mar 24 00:22:58 /kernel: ipfw: 3000 Deny ICMP:8.0 216.52.65.65 in > via fxp0 > Mar 24 00:23:01 /kernel: ipfw: 3000 Deny ICMP:8.0 216.52.65.65 in > via fxp0 The problem is deciding which networks to block. This particular address is not "overseas" which your first sentence would imply. It is very difficult, and often not possible, to determine where large blocks of address space reside in the physical world. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message