Re: Best way to block a long list of IPs?
- From: Luigi Rizzo <rizzo@xxxxxxxx>
- Date: Tue, 20 Jun 2006 14:07:22 -0700
On Tue, Jun 20, 2006 at 10:57:30PM +0200, Phil Regnauld wrote:
Brett Glass (brett) writes:
I've got an application in which I must block incoming TCP
connections to a FreeBSD server from a potentially large list of IP
addresses. Using IPFW is not a very efficient way to accomplish
this, because it must do a linear search of a list (either one
address per rule or an "or" list in a rule) and this could slow
down every packet entering the machine dramatically.
pf tables are VERY efficient -- man pf.conf
there are efficient tables in ipfw as well, which Ruslan implemented
some time ago -- yet another reason we should be grateful to him
http://people.freebsd.org/~ru/help/en/
and also, if your address are in the same /24 subnet, you can use
the ipfw address set format which looks like this
1.2.3.0/24{10,20,21,30,34,55}
and can deal in constant time for up to 256 randomly distributed hosts.
man ipfw has all the details.
cheers
luigi
______________________________________________________________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: Best way to block a long list of IPs?
- From: Brett Glass
- Re: Best way to block a long list of IPs?
- References:
- Best way to block a long list of IPs?
- From: Brett Glass
- Re: Best way to block a long list of IPs?
- From: Phil Regnauld
- Best way to block a long list of IPs?
- Prev by Date: Re: Best way to block a long list of IPs?
- Next by Date: Re: Best way to block a long list of IPs?
- Previous by thread: Re: Best way to block a long list of IPs?
- Next by thread: Re: Best way to block a long list of IPs?
- Index(es):
Relevant Pages
|
|
