for accounting, you can use dynamic dummynet pipes as the
final accept rule, e.g. replace all rules of the form
accept ip from X to Y
with
pipe 9999 ip from X to Y
and something like this for accounting on source ip
ipfw pipe 9999 config mask src-ip 0xffffffff
For managing the separate IPs, it really depends a lot on the actions
you need to perform, e.g. you might be able to define a few classes
of hosts and have rulesets for them, and then jump to the appropriate
ruleset for each host depending on the IP, maybe using masks whenever possible
to reduce the actual number of rules.
of course if performance is an issue you might want to develop some
special 'lookup' ipfw rule by modifying the ipfw kernel code.
cheers
luigi
> Hi!
>
> We have to account the traffic of >450 IPs and also have to deny
> traffic to/from a few IPs.
>
> We are currently using a half-baken solution with ipfw and a
> config with 6 rules for each IP, which makes the stuff quite
> uncomfortable.
> (on high network load, "ipfw list" takes minutes, we have to check
> 6 rules for each IP, ...)
>
> We are now searching for other solutions and I wondered, if one could
> recommend them.
>
> I'd prefer something, that automatically accounts the traffic
> for all routed IPs (and, if possible, with some exceptions, e.g.
> only traffic, that leaves a certain subnet), and can also still deny
> some traffic.
>
> Anyone has some suggestions for us?
>
> Thanks
>
> Alex
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-net" in the body of the message
>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
