Re: ipfw rules vs routes to localhost?

From: Crist J. Clark (crist.clark_at_attbi.com)
Date: 05/29/03

  • Next message: Julian Elischer: "Re: A problem with too many network interfaces" 
    Date: Wed, 28 May 2003 15:28:52 -0700
To: Barney Wolff <barney@databus.com>

    On Wed, May 28, 2003 at 05:40:46PM -0400, Barney Wolff wrote:
    > On Wed, May 28, 2003 at 02:03:59PM -0700, Crist J. Clark wrote:
    > > On Wed, May 28, 2003 at 12:51:54AM -0400, Paul Chvostek wrote:
    > > >
    > > > I'm considering:
    > > >
    > > > ipfw add N deny ip from a.b.c.d to any
    > > >
    > > > vs.
    > > >
    > > > route add -host a.b.c.d localhost
    > > >
    > > > I need to block traffic to a number of IP addresses. I thought I'd use
    > > > ipfw to avoid things like UDP DNS lookups that might come in ant take up
    > > > resources while my system tried to respond, but it's been suggested on
    > > > another list that setting routes to localhost will use less resources.
    > > > Ideally, I'd like to be able to block a few tens of thousands of IPs.
    > > >
    > > > What's the scoop?
    > >
    > > Someone is assumng the old rule for blocking traffic on a (Cisco)
    > > router applies to the FreeBSD stack. It doesn't necessarily apply.
    > >
    > > First off, blocking it in ipfw rules is obviously more efficient if
    > > you are running ipfw(8) already.
    >
    > Can ipfw really handle "tens of thousands" of rules efficiently?

    If we're talking about tens of thousands of hosts sparsely distributed
    through IP-space, I don't think either approach is very practical.

    > If I had to do this inbound, I'd look at netgraph as a way to put
    > custom code in the kernel that looks up the source IP addr in a
    > hash table.

    Writing something that uses pfil(9) might also be a lightweight way to
    do this. 

    -- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
  • Next message: Julian Elischer: "Re: A problem with too many network interfaces"

    Relevant Pages

    • Re: wanted: cyveillance IP address blocks
      ... I built the server, installed the operating system, etc. ... I'm getting increasingly nasty about blocking unidentified robots. ... When I block website access, I don't use deny processing in Apache ... the router, so they don't show up in my Apache logs at all. ...
      (comp.security.firewalls)
    • Re: Web session come from IP 127.0.0.1 ???
      ... Now the router I was considering to block all ... wouldn't do this on a LAN router and would just let the LAN do whatever it ... > Some applications residing on the ISA server itself might> use 127.0.0.1. ... Depending on> what layer is blocking, would a local application be able> to send mail because it's recognized as a local process> or be blocked because the call is coming> through the IP layer? ...
      (microsoft.public.isa)
    • Re: Error number: 0x8024402F
      ... >I have the same exact message 0x8024402f for windows XP pro, ... > absolutely 100% of the solutions on here and microsoft is even stumped. ... >> Had Active X blocking on my router. ...
      (microsoft.public.windowsupdate)
    • Re: Why is MS Word is trying to connect to 127.0.0.1 ?
      ... If your router connects all others on the network to the internet then ... blocking your PC will only affect your PC, ...
      (microsoft.public.windowsxp.general)
    • Re: Why you have hardware firewalls
      ... :If you have a firewall and not just a router, ... :blocking IP Ranges of countries that you don't need to allow inbound to ...
      (comp.security.firewalls)