Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 23 Nov 2019 15:33:00 -0600
From:      Tim Daneliuk <tundra@tundraware.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: Optimizing ipfw?
Message-ID:  <7407b36a-f3f0-2031-6332-ece6ff493a1e@tundraware.com>
In-Reply-To: <138c4563-3bc1-5054-21f4-ecb7b4260cf0@denninger.net>
References:  <ac88a9fd-b3e4-a7f2-6f05-bf00df8f9626@tundraware.com> <CAHu1Y726%2BWLu9E=504QjiV2mfhYnSeRZwEU8wFvrF88ziATdSA@mail.gmail.com> <55e36a4a-c594-e70c-28ac-ab7312591955@tundraware.com> <138c4563-3bc1-5054-21f4-ecb7b4260cf0@denninger.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 11/23/19 3:21 PM, Karl Denninger wrote:
> 
> On 11/23/2019 15:04, Tim Daneliuk wrote:
>> On 11/23/19 11:46 AM, Michael Sierchio wrote:
>>> Don't use specific rules per CIDR block, use tables.  You can efficiently
>>> handle hundreds of thousands of CIDR blocks and IPv6 prefixes in a single
>>> table, or multiple tables.  You can assign the argument based on country
>>> code or some such. You can add and delete CIDR blocks, and even swap tables
>>> so you can do it atomically.
>> Aha!  Thanks.  So, I added this to my firewall startup code:
>>
>>   ###
>>   # Block Naughty IP Addresses/Spaces
>>   ###
>>
>>   # Use ipfw tables for efficiency
>>
>>   for addr in `cat ${NAUGHTYFILE}`
>>   do
>>     ${FWCMD} table 10 add ${addr}
>>   done
>>
>>   ${FWCMD} add deny all from table\(10\) to any via ${OIF}
>>
>>
>> ipfw show does show that new table being referenced and the table shows the IPs and CIDR blocks
>> I want stopped, but I have no affirmative proof this is working yet.
>>
>> It does, however, no longer clobber network performance as you noted.  So ... thanks again!
>>
>> P.S. Is there a way to get ipfw to dump everything it is blocking including the stuff in the table?
> 
> You can add the word "log" to that deny command (add deny log all ....)
> which will log everything that matches that line in the ipfw rule set.

Yep, that would do it, but I was hoping for something a little less
noisy like dumping an internal state table that shows number of
denies so far per IP or CIDR block.


-- 
----------------------------------------------------------------------------
Tim Daneliuk     tundra@tundraware.com
PGP Key:         http://www.tundraware.com/PGP/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7407b36a-f3f0-2031-6332-ece6ff493a1e>