Aminuddin wrote:
Will give this a try. Since my server is a remote server that I can accessed
only by ssh, what are other rules do I need to add in? I don't want to have
a situation where I will lock myself out.
Is it correct to say that the rules that I put in will only block those in
the rules and allow all that are not in the rules?
Thanks
-----Original Message-----
From: Dan Nelson [mailto:[EMAIL PROTECTED]
Sent: Sunday, August 26, 2007 2:15 PM
To: Aminuddin
Cc: freebsd-questions@freebsd.org
Subject: Re: How to block 200K ip addresses?
In the last episode (Aug 26), Aminuddin said:
From: Dan Nelson [mailto:[EMAIL PROTECTED]
In the last episode (Aug 26), Aminuddin said:
From: Dan Nelson
In the last episode (Aug 26), Aminuddin said:
How do you block this large range of ip addresses from
different subnet? IPFW only allows 65536 rules while this
will probably use up a few hundred thousands of lines.
I'm also trying to add this into my proxy configuration file,
ss5.conf but it doesn't allow me to add this large number.
IS this the limitation of IPF or FreeBSD? How do I work
around this?
Even though there are 65536 rule numbers, each number can
actually have any amount of rules assigned to it. What you're
probably looking for, though, is ipfw's table keyword, which
uses the same radix tree lookup format as the kernel's routing
tables, so it scales well to large amounts of sparse addresses.
man ipfw, search for "lookup tables".
I intend to create a ruleset file consisting of this statement:
Ruleset------------------------
add 2300 skipto 2301 ip from 0.0.0.0/6 to any
add 2400 skipto 2401 ip from any to 0.0.0.0/6
add 2300 skipto 2302 ip from 4.0.0.0/6 to any
add 2400 skipto 2402 ip from any to 4.0.0.0/6
[...]
add 2300 skipto 2363 ip from 248.0.0.0/6 to any
add 2400 skipto 2463 ip from any to 248.0.0.0/6
add 2300 skipto 2364 ip from 252.0.0.0/6 to any
add 2400 skipto 2464 ip from any to 252.0.0.0/6
add 2301 deny ip from 3.0.0.0/8 to any
add 2401 reject ip from any to 3.0.0.0/8
add 2302 deny ip from 4.0.25.146/31 to any
add 2402 reject ip from any to 4.0.25.146/31
[...]
add 2302 deny ip from 4.18.37.16/28 to any
add 2402 reject ip from any to 4.18.37.16/28
add 2302 deny ip from 4.18.37.128/25 to any
add 2402 reject ip from any to 4.18.37.128/25
------------------------------------end ruleset
Will the above rules block me from ssh into my remote server if
the ip addresses of my local pc (dynamic ip) not within any of
the above rules ip range as well as block my snmpd services?
Yes; it's a little convoluted but should work. You want to drop
incoming packets from the listed IP ranges, and return a "host
unreachable" to internal machines sending outgoing packets to the
listed IP ranges? Wouldn't it be easier to use ipfw's table
feature and have something like this:
add table 1 3.0.0.0/8
add table 1 4.0.25.146/31
add table 1 4.0.25.148/32
[...]
add table 1 4.18.37.16/28
add table 1 4.18.37.128/25
add 2300 deny ip from table 1 to any
add 2400 reject ip from any to table 1
That way you only have two ipfw rules, both of which use a single
table lookup.
My complete list has about 300K of lines. It takes about a few hours
just to load the rules. Will it be faster to load using the table?
I did a quick test myself by fetching the safepeer ip list and adding
it via rules and tables. This was a quick hack, so I'm just adding the
first IP in each line, not the whole netblock (I didn't want to write a
range->netmask converter). On my heavily-loaded box (currently doing a
buildworld and some mrtg sweeps), I'm only able to insert about 60 ipfw
"deny ip from 4.0.25.146 to any"-format rules per second. By contrast:
([EMAIL PROTECTED]) /tmp># head -3 splist1.table
table 1 add 0.0.0.0
table 1 add 4.0.25.146
table 1 add 4.0.26.14
([EMAIL PROTECTED]) /tmp># wc -l splist1.table
191637 splist1.table
([EMAIL PROTECTED]) /tmp># time ipfw /tmp/splist1.table
ipfw /tmp/splist1.table: U:3.30s S:1.75s E:6.74s CPU:75% Faults:0/95 I/O:0/0
Swaps:0
([EMAIL PROTECTED]) /tmp># ipfw table 1 list | wc -l
191637
Under 7 seconds to load all 191k entries :)
Please don't top-post.
My understanding is that anything not blocked by these rules will be
allowed, unless it is blocked somewhere else in your firewall config.
An easy way to make sure you don't lock yourself out (at least
permanently) is to write up a shell script that will revert your rules
to your current ruleset and enter it as a cron job set to be run every 5
minutes or so. That way, even if you do lock yourself out, it'll only be
a few minutes. If it works and you're not locked out, remove the cron job.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
