In the last episode (Aug 26), Aminuddin said: > From: Dan Nelson > > In the last episode (Aug 26), Aminuddin said: > > > How do you block this large range of ip addresses from different > > > subnet? IPFW only allows 65536 rules while this will probably use > > > up a few hundred thousands of lines. > > > > > > I'm also trying to add this into my proxy configuration file, ss5.conf but > > > it doesn't allow me to add this large number. > > > > > > IS this the limitation of IPF or FreeBSD? How do I work around this? > > > > Even though there are 65536 rule numbers, each number can actually have > > any amount of rules assigned to it. What you're probably looking for, > > though, is ipfw's table keyword, which uses the same radix tree lookup > > format as the kernel's routing tables, so it scales well to large > > amounts of sparse addresses. man ipfw, search for "lookup tables". > > I intend to create a ruleset file consisting of this statement: > > Ruleset------------------------ > > add 2300 skipto 2301 ip from 0.0.0.0/6 to any > add 2400 skipto 2401 ip from any to 0.0.0.0/6 > add 2300 skipto 2302 ip from 126.96.36.199/6 to any > add 2400 skipto 2402 ip from any to 188.8.131.52/6 [...] > add 2300 skipto 2363 ip from 248.0.0.0/6 to any > add 2400 skipto 2463 ip from any to 248.0.0.0/6 > add 2300 skipto 2364 ip from 252.0.0.0/6 to any > add 2400 skipto 2464 ip from any to 252.0.0.0/6 > > add 2301 deny ip from 184.108.40.206/8 to any > add 2401 reject ip from any to 220.127.116.11/8 > add 2302 deny ip from 18.104.22.168/31 to any > add 2402 reject ip from any to 22.214.171.124/31 [...] > add 2302 deny ip from 126.96.36.199/28 to any > add 2402 reject ip from any to 188.8.131.52/28 > add 2302 deny ip from 184.108.40.206/25 to any > add 2402 reject ip from any to 220.127.116.11/25 > ------------------------------------end ruleset > > Will the above rules block me from ssh into my remote server if the > ip addresses of my local pc (dynamic ip) not within any of the above > rules ip range as well as block my snmpd services?
Yes; it's a little convoluted but should work. You want to drop incoming packets from the listed IP ranges, and return a "host unreachable" to internal machines sending outgoing packets to the listed IP ranges? Wouldn't it be easier to use ipfw's table feature and have something like this: add table 1 18.104.22.168/8 add table 1 22.214.171.124/31 add table 1 126.96.36.199/32 [...] add table 1 188.8.131.52/28 add table 1 184.108.40.206/25 add 2300 deny ip from table 1 to any add 2400 reject ip from any to table 1 That way you only have two ipfw rules, both of which use a single table lookup. -- Dan Nelson [EMAIL PROTECTED] _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"