Re: ipfw rules vs routes to localhost?

From: Julian Elischer (julian_at_elischer.org)
Date: 05/29/03

Next message: Crist J. Clark: "Re: ipfw rules vs routes to localhost?"

Previous message: Crist J. Clark: "Merging Non-Back-Compatible setkey(8)"
In reply to: Barney Wolff: "Re: ipfw rules vs routes to localhost?"
Next in thread: Crist J. Clark: "Re: ipfw rules vs routes to localhost?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 28 May 2003 15:12:24 -0700 (PDT)
To: Barney Wolff <barney@databus.com>

On Wed, 28 May 2003, Barney Wolff wrote:

> On Wed, May 28, 2003 at 02:03:59PM -0700, Crist J. Clark wrote:
> > First off, blocking it in ipfw rules is obviously more efficient if
> > you are running ipfw(8) already.
>
> Can ipfw really handle "tens of thousands" of rules efficiently?
> I'd hate to implement a trie with ipfw skipto rules, but that's the
> only way ipfw could block that many individual IPs efficiently.

I once wrote a script to generate a skipto tree.
Any packet hit at most 33 rules..
:-)
problem was running out of ipfw line numbers.. :-)

>
> But there's a more fundamental problem: The two choices above do
> different things. The ipfw rule drops inbound packets, while the
> route drops outbound packets. If the threat is connections from outside,
> the route solution converts each of these into a DoS attempt. If the
> threat is internal users connecting to banned sites, the ipfw rule
> should be written as "from any to a.b.c.d." In the latter case the
> route solution looks good.
>
> If I had to do this inbound, I'd look at netgraph as a way to put
> custom code in the kernel that looks up the source IP addr in a
> hash table.

I've done that too :-)

>
> But the hard part will be updating the table of banned IPs and informing
> the kernel. How often must the table change?

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

Next message: Crist J. Clark: "Re: ipfw rules vs routes to localhost?"

Previous message: Crist J. Clark: "Merging Non-Back-Compatible setkey(8)"
In reply to: Barney Wolff: "Re: ipfw rules vs routes to localhost?"
Next in thread: Crist J. Clark: "Re: ipfw rules vs routes to localhost?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: blocking a string in a packet using ipfw
... > Its probably a lot less work for the server. ... IPFW rule. ... If you use deny, the packets are simply ... "connection refused") causes no TCP retransmits. ...
(freebsd-net)
Re: Port forwarding with router, natd and firewall
... >> Check whether these packets are getting to the FreeBSD machine at all. ... The counters on the IPFW rule I specified in my last post are ... not the target). ... You want natd to handle it instead. ...
(comp.unix.bsd.freebsd.misc)
Re: Port forwarding with router, natd and firewall
... > Check whether these packets are getting to the FreeBSD machine at all. ... The counters on the IPFW rule I specified in my last post are ...
(comp.unix.bsd.freebsd.misc)
Re: Is rl broken?
... > new kernel before installkernel and dhclient seems to finish properly and the ... > 5.1-RELEASE kernel with the same hardware and zero config changes, ... ipfw rule as allows: ...
(freebsd-current)