Re: Blocking very many (tens of thousands) ip addresses in ipfw
On Wednesday 14 January 2009 18:13:06 Steve Bertrand wrote: > Pieter de Goeje wrote: > > On Wednesday 14 January 2009 17:23:25 Artem Kuchin wrote: > >> I need to block around 15 ip addreses from acccess the server at all > >> at any port. The addesses are random, they are not nets. > >> These are the spammer i want to block for 24 hours. > >> The list is dynamically generated and regenerated every hour or so. > >> What is the most efficient way to do it? > >> At first i thought doing ipfw rules using 5 ips per rule, that would > >> result in 3 rules! This will be too slow! > >> I need to something really quick and smart. Like matching the first > >> number from ip (195 from 192.1.2.3), > >> if it does not match - skip, if it does - compare the next one > >> and so on. > > > > Quoting ipfw(8): > > LOOKUP TABLES > > Lookup tables are useful to handle large sparse address sets, > > typically from a hundred to several thousands of entries. There may be > > up to 128 different lookup tables, numbered 0 to 127. > > > > net.inet.ip.fw.dyn_buckets should probably also be increased to > > efficiently handle 150k IPs. > > Please correct me if I'm wrong, but if the OP is going to drop all > traffic immediately from the 150k IPs, then dyn_buckets shouldn't come > into play, as there is no dynamic rule generated. > > Steve Ah nevermind then, I misread the manpage. I thought it also applied to normal tables. -- Pieter de Goeje ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Blocking very many (tens of thousands) ip addresses in ipfw
On Wed, Jan 14, 2009 at 08:30:53PM -0800, mojo fms wrote: > On Wed, Jan 14, 2009 at 9:13 AM, Steve Bertrand > wrote: > > Pieter de Goeje wrote: > > > On Wednesday 14 January 2009 17:23:25 Artem Kuchin wrote: > > > > I need to block around 15 ip addreses from acccess the server > > > > at all at any port. The addesses are random, they are not nets. > > > > These are the spammer i want to block for 24 hours. The list is > > > > dynamically generated and regenerated every hour or so. What is > > > > the most efficient way to do it? At first i thought doing ipfw > > > > rules using 5 ips per rule, that would result in 3 rules! This > > > > will be too slow! I need to something really quick and smart. > > > > Like matching the first number from ip (195 from 192.1.2.3), if it > > > > does not match - skip, if it does - compare the next one and so > > > > on. > > > > > > Quoting ipfw(8): > > > LOOKUP TABLES > > > Lookup tables are useful to handle large sparse address sets, > > > typically from a hundred to several thousands of entries. > > > There may be up to 128 different lookup tables, numbered 0 to > > > 127. > > > > > > net.inet.ip.fw.dyn_buckets should probably also be increased to > > > efficiently handle 150k IPs. > > > > Please correct me if I'm wrong, but if the OP is going to drop all > > traffic immediately from the 150k IPs, then dyn_buckets shouldn't come > > into play, as there is no dynamic rule generated. > > Is this kind of thing doable with PF or really a ipfw thing more? # pfctl -sm stateshard limit1 src-nodes hard limit1 frags hard limit 5000 tableshard limit 1000 table-entries hard limit 20 -- George ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Blocking very many (tens of thousands) ip addresses in ipfw
Is this kind of thing doable with PF or really a ipfw thing more? On Wed, Jan 14, 2009 at 9:13 AM, Steve Bertrand wrote: > Pieter de Goeje wrote: > > On Wednesday 14 January 2009 17:23:25 Artem Kuchin wrote: > >> I need to block around 15 ip addreses from acccess the server at all > >> at any port. The addesses are random, they are not nets. > >> These are the spammer i want to block for 24 hours. > >> The list is dynamically generated and regenerated every hour or so. > >> What is the most efficient way to do it? > >> At first i thought doing ipfw rules using 5 ips per rule, that would > >> result in 3 rules! This will be too slow! > >> I need to something really quick and smart. Like matching the first > >> number from ip (195 from 192.1.2.3), > >> if it does not match - skip, if it does - compare the next one > >> and so on. > > > > Quoting ipfw(8): > > LOOKUP TABLES > > Lookup tables are useful to handle large sparse address sets, > typically > > from a hundred to several thousands of entries. There may be up to > 128 > > different lookup tables, numbered 0 to 127. > > > > net.inet.ip.fw.dyn_buckets should probably also be increased to > efficiently > > handle 150k IPs. > > Please correct me if I'm wrong, but if the OP is going to drop all > traffic immediately from the 150k IPs, then dyn_buckets shouldn't come > into play, as there is no dynamic rule generated. > > Steve > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Blocking very many (tens of thousands) ip addresses in ipfw
Pieter de Goeje wrote: > On Wednesday 14 January 2009 17:23:25 Artem Kuchin wrote: >> I need to block around 15 ip addreses from acccess the server at all >> at any port. The addesses are random, they are not nets. >> These are the spammer i want to block for 24 hours. >> The list is dynamically generated and regenerated every hour or so. >> What is the most efficient way to do it? >> At first i thought doing ipfw rules using 5 ips per rule, that would >> result in 3 rules! This will be too slow! >> I need to something really quick and smart. Like matching the first >> number from ip (195 from 192.1.2.3), >> if it does not match - skip, if it does - compare the next one >> and so on. > > Quoting ipfw(8): > LOOKUP TABLES > Lookup tables are useful to handle large sparse address sets, typically > from a hundred to several thousands of entries. There may be up to 128 > different lookup tables, numbered 0 to 127. > > net.inet.ip.fw.dyn_buckets should probably also be increased to efficiently > handle 150k IPs. Please correct me if I'm wrong, but if the OP is going to drop all traffic immediately from the 150k IPs, then dyn_buckets shouldn't come into play, as there is no dynamic rule generated. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Blocking very many (tens of thousands) ip addresses in ipfw
On Wednesday 14 January 2009 17:23:25 Artem Kuchin wrote: > I need to block around 15 ip addreses from acccess the server at all > at any port. The addesses are random, they are not nets. > These are the spammer i want to block for 24 hours. > The list is dynamically generated and regenerated every hour or so. > What is the most efficient way to do it? > At first i thought doing ipfw rules using 5 ips per rule, that would > result in 3 rules! This will be too slow! > I need to something really quick and smart. Like matching the first > number from ip (195 from 192.1.2.3), > if it does not match - skip, if it does - compare the next one > and so on. Quoting ipfw(8): LOOKUP TABLES Lookup tables are useful to handle large sparse address sets, typically from a hundred to several thousands of entries. There may be up to 128 different lookup tables, numbered 0 to 127. net.inet.ip.fw.dyn_buckets should probably also be increased to efficiently handle 150k IPs. -- Pieter de Goeje ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Blocking very many (tens of thousands) ip addresses in ipfw
Artem Kuchin wrote: > I need to block around 15 ip addreses from acccess the server at all > at any port. The addesses are random, they are not nets. > These are the spammer i want to block for 24 hours. > The list is dynamically generated and regenerated every hour or so. > What is the most efficient way to do it? > At first i thought doing ipfw rules using 5 ips per rule, that would > result in 3 rules! This will be too slow! > I need to something really quick and smart. Like matching the first > number from ip (195 from 192.1.2.3), > if it does not match - skip, if it does - compare the next one > and so on. Use tables. They are efficient, and easy to manipulate. # ipfw table 1 add xx.xx.xx.xx/xx # ipfw deny all from "table(1)" to any It would be best if you allowed only legitimate IP addresses to pass traffic in/out of your network, and then deny all else, but the way your message reads, this is SMTP traffic inbound, so 'allow some, deny the rest' doesn't work too well here. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Blocking very many (tens of thousands) ip addresses in ipfw
In the last episode (Jan 14), Artem Kuchin said: > I need to block around 15 ip addreses from acccess the server at > all at any port. The addesses are random, they are not nets. These > are the spammer i want to block for 24 hours. The list is dynamically > generated and regenerated every hour or so. What is the most > efficient way to do it? At first i thought doing ipfw rules using 5 > ips per rule, that would result in 3 rules! This will be too > slow! I need to something really quick and smart. Like matching the > first number from ip (195 from 192.1.2.3), if it does not match - > skip, if it does - compare the next one and so on. Take a look at the ipfw manpage, the LOOKUP TABLES section. You can add/remove entries on the fly if you need to, and for an efficient full replacement, create a file with contents like: table 1 flush table 1 add 1.2.3.4 table 1 add 2.3.4.5 etc, then load it with "ipfw -f file.txt". -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Blocking very many (tens of thousands) ip addresses in ipfw
I need to block around 15 ip addreses from acccess the server at all at any port. The addesses are random, they are not nets. These are the spammer i want to block for 24 hours. The list is dynamically generated and regenerated every hour or so. What is the most efficient way to do it? At first i thought doing ipfw rules using 5 ips per rule, that would result in 3 rules! This will be too slow! I need to something really quick and smart. Like matching the first number from ip (195 from 192.1.2.3), if it does not match - skip, if it does - compare the next one and so on. -- Regards Artem Kuchin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"