Re: ipfw rules vs routes to localhost?
From: Barney Wolff (barney_at_databus.com)
Date: Wed, 28 May 2003 17:40:46 -0400 To: "Crist J. Clark" <firstname.lastname@example.org>
On Wed, May 28, 2003 at 02:03:59PM -0700, Crist J. Clark wrote:
> On Wed, May 28, 2003 at 12:51:54AM -0400, Paul Chvostek wrote:
> > I'm considering:
> > ipfw add N deny ip from a.b.c.d to any
> > vs.
> > route add -host a.b.c.d localhost
> > I need to block traffic to a number of IP addresses. I thought I'd use
> > ipfw to avoid things like UDP DNS lookups that might come in ant take up
> > resources while my system tried to respond, but it's been suggested on
> > another list that setting routes to localhost will use less resources.
> > Ideally, I'd like to be able to block a few tens of thousands of IPs.
> > What's the scoop?
> Someone is assumng the old rule for blocking traffic on a (Cisco)
> router applies to the FreeBSD stack. It doesn't necessarily apply.
> First off, blocking it in ipfw rules is obviously more efficient if
> you are running ipfw(8) already.
Can ipfw really handle "tens of thousands" of rules efficiently?
I'd hate to implement a trie with ipfw skipto rules, but that's the
only way ipfw could block that many individual IPs efficiently.
But there's a more fundamental problem: The two choices above do
different things. The ipfw rule drops inbound packets, while the
route drops outbound packets. If the threat is connections from outside,
the route solution converts each of these into a DoS attempt. If the
threat is internal users connecting to banned sites, the ipfw rule
should be written as "from any to a.b.c.d." In the latter case the
route solution looks good.
If I had to do this inbound, I'd look at netgraph as a way to put
custom code in the kernel that looks up the source IP addr in a
But the hard part will be updating the table of banned IPs and informing
the kernel. How often must the table change?
-- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "firstname.lastname@example.org"