In the last episode (Aug 26), Aminuddin said:
> From: Dan Nelson 
> > In the last episode (Aug 26), Aminuddin said:
> > > How do you block this large range of ip addresses from different
> > > subnet? IPFW only allows 65536 rules while this will probably use
> > > up a few hundred thousands of lines.
> > > 
> > > I'm also trying to add this into my proxy configuration file, ss5.conf but
> > > it doesn't allow me to add this large number.
> > > 
> > > IS this the limitation of IPF or FreeBSD? How do I work around this?
> > 
> > Even though there are 65536 rule numbers, each number can actually have
> > any amount of rules assigned to it.  What you're probably looking for,
> > though, is ipfw's table keyword, which uses the same radix tree lookup
> > format as the kernel's routing tables, so it scales well to large
> > amounts of sparse addresses.  man ipfw, search for "lookup tables".
>
> I intend to create a ruleset file consisting of this statement:
> 
> Ruleset------------------------
>
> add 2300 skipto 2301 ip from 0.0.0.0/6 to any
> add 2400 skipto 2401 ip from any to 0.0.0.0/6
> add 2300 skipto 2302 ip from 4.0.0.0/6 to any
> add 2400 skipto 2402 ip from any to 4.0.0.0/6
[...]
> add 2300 skipto 2363 ip from 248.0.0.0/6 to any
> add 2400 skipto 2463 ip from any to 248.0.0.0/6
> add 2300 skipto 2364 ip from 252.0.0.0/6 to any
> add 2400 skipto 2464 ip from any to 252.0.0.0/6
>
> add 2301 deny ip from 3.0.0.0/8 to any
> add 2401 reject ip from any to 3.0.0.0/8
> add 2302 deny ip from 4.0.25.146/31 to any
> add 2402 reject ip from any to 4.0.25.146/31
[...]
> add 2302 deny ip from 4.18.37.16/28 to any
> add 2402 reject ip from any to 4.18.37.16/28
> add 2302 deny ip from 4.18.37.128/25 to any
> add 2402 reject ip from any to 4.18.37.128/25
> ------------------------------------end ruleset
> 
> Will the above rules block me from ssh into my remote server if the
> ip addresses of my local pc (dynamic ip) not within any of the above
> rules ip range as well as block my snmpd services?

Yes; it's a little convoluted but should work.  You want to drop
incoming packets from the listed IP ranges, and return a "host
unreachable" to internal machines sending outgoing packets to the
listed IP ranges?  Wouldn't it be easier to use ipfw's table feature
and have something like this:

add table 1 3.0.0.0/8
add table 1 4.0.25.146/31
add table 1 4.0.25.148/32
[...]
add table 1 4.18.37.16/28
add table 1 4.18.37.128/25
add 2300 deny ip from table 1 to any
add 2400 reject ip from any to table 1

That way you only have two ipfw rules, both of which use a single table
lookup.

-- 
        Dan Nelson
        [EMAIL PROTECTED]
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to