Re: How to block 200K ip addresses?
In the last episode (Aug 27), Aminuddin said: > Will give this a try. Since my server is a remote server that I can > accessed only by ssh, what are other rules do I need to add in? I > don't want to have a situation where I will lock myself out. The safest method is to have a serial console configured, so even if you completely mess up your firewall you can still get to it. Otherwise, add some rules as the very beginning that permit traffic to/from the server you are ssh'ing in from, and start off using "count log" rules instead of "deny", so you can tell which packets are being matched. > Is it correct to say that the rules that I put in will only block > those in the rules and allow all that are not in the rules? ipfw always has a final rule 65536, which is either "allow ip from any to any" or "deny ip from any to any" depending on whether the kernel option "IPFIREWALL_DEFAULT_TO_ACCEPT" was set or not. -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to block 200K ip addresses?
Aminuddin wrote: Will give this a try. Since my server is a remote server that I can accessed only by ssh, what are other rules do I need to add in? I don't want to have a situation where I will lock myself out. Is it correct to say that the rules that I put in will only block those in the rules and allow all that are not in the rules? Thanks -Original Message- From: Dan Nelson [mailto:[EMAIL PROTECTED] Sent: Sunday, August 26, 2007 2:15 PM To: Aminuddin Cc: freebsd-questions@freebsd.org Subject: Re: How to block 200K ip addresses? In the last episode (Aug 26), Aminuddin said: From: Dan Nelson [mailto:[EMAIL PROTECTED] In the last episode (Aug 26), Aminuddin said: From: Dan Nelson In the last episode (Aug 26), Aminuddin said: How do you block this large range of ip addresses from different subnet? IPFW only allows 65536 rules while this will probably use up a few hundred thousands of lines. I'm also trying to add this into my proxy configuration file, ss5.conf but it doesn't allow me to add this large number. IS this the limitation of IPF or FreeBSD? How do I work around this? Even though there are 65536 rule numbers, each number can actually have any amount of rules assigned to it. What you're probably looking for, though, is ipfw's table keyword, which uses the same radix tree lookup format as the kernel's routing tables, so it scales well to large amounts of sparse addresses. man ipfw, search for "lookup tables". I intend to create a ruleset file consisting of this statement: Ruleset add 2300 skipto 2301 ip from 0.0.0.0/6 to any add 2400 skipto 2401 ip from any to 0.0.0.0/6 add 2300 skipto 2302 ip from 4.0.0.0/6 to any add 2400 skipto 2402 ip from any to 4.0.0.0/6 [...] add 2300 skipto 2363 ip from 248.0.0.0/6 to any add 2400 skipto 2463 ip from any to 248.0.0.0/6 add 2300 skipto 2364 ip from 252.0.0.0/6 to any add 2400 skipto 2464 ip from any to 252.0.0.0/6 add 2301 deny ip from 3.0.0.0/8 to any add 2401 reject ip from any to 3.0.0.0/8 add 2302 deny ip from 4.0.25.146/31 to any add 2402 reject ip from any to 4.0.25.146/31 [...] add 2302 deny ip from 4.18.37.16/28 to any add 2402 reject ip from any to 4.18.37.16/28 add 2302 deny ip from 4.18.37.128/25 to any add 2402 reject ip from any to 4.18.37.128/25 end ruleset Will the above rules block me from ssh into my remote server if the ip addresses of my local pc (dynamic ip) not within any of the above rules ip range as well as block my snmpd services? Yes; it's a little convoluted but should work. You want to drop incoming packets from the listed IP ranges, and return a "host unreachable" to internal machines sending outgoing packets to the listed IP ranges? Wouldn't it be easier to use ipfw's table feature and have something like this: add table 1 3.0.0.0/8 add table 1 4.0.25.146/31 add table 1 4.0.25.148/32 [...] add table 1 4.18.37.16/28 add table 1 4.18.37.128/25 add 2300 deny ip from table 1 to any add 2400 reject ip from any to table 1 That way you only have two ipfw rules, both of which use a single table lookup. My complete list has about 300K of lines. It takes about a few hours just to load the rules. Will it be faster to load using the table? I did a quick test myself by fetching the safepeer ip list and adding it via rules and tables. This was a quick hack, so I'm just adding the first IP in each line, not the whole netblock (I didn't want to write a range->netmask converter). On my heavily-loaded box (currently doing a buildworld and some mrtg sweeps), I'm only able to insert about 60 ipfw "deny ip from 4.0.25.146 to any"-format rules per second. By contrast: ([EMAIL PROTECTED]) /tmp># head -3 splist1.table table 1 add 0.0.0.0 table 1 add 4.0.25.146 table 1 add 4.0.26.14 ([EMAIL PROTECTED]) /tmp># wc -l splist1.table 191637 splist1.table ([EMAIL PROTECTED]) /tmp># time ipfw /tmp/splist1.table ipfw /tmp/splist1.table: U:3.30s S:1.75s E:6.74s CPU:75% Faults:0/95 I/O:0/0 Swaps:0 ([EMAIL PROTECTED]) /tmp># ipfw table 1 list | wc -l 191637 Under 7 seconds to load all 191k entries :) Please don't top-post. My understanding is that anything not blocked by these rules will be allowed, unless it is blocked somewhere else in your firewall config. An easy way to make sure you don't lock yourself out (at least permanently) is to write up a shell script that will revert your rules to your current ruleset and enter it as a cron job set to be run every 5 minutes or so. That way, even if you do lock yourself out, it'll only be a few minutes. If it works and you're not locked out, remove the cron job. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: How to block 200K ip addresses?
Will give this a try. Since my server is a remote server that I can accessed only by ssh, what are other rules do I need to add in? I don't want to have a situation where I will lock myself out. Is it correct to say that the rules that I put in will only block those in the rules and allow all that are not in the rules? Thanks -Original Message- From: Dan Nelson [mailto:[EMAIL PROTECTED] Sent: Sunday, August 26, 2007 2:15 PM To: Aminuddin Cc: freebsd-questions@freebsd.org Subject: Re: How to block 200K ip addresses? In the last episode (Aug 26), Aminuddin said: > From: Dan Nelson [mailto:[EMAIL PROTECTED] > > In the last episode (Aug 26), Aminuddin said: > > > From: Dan Nelson > > > > In the last episode (Aug 26), Aminuddin said: > > > > > How do you block this large range of ip addresses from > > > > > different subnet? IPFW only allows 65536 rules while this > > > > > will probably use up a few hundred thousands of lines. > > > > > > > > > > I'm also trying to add this into my proxy configuration file, > > > > > ss5.conf but it doesn't allow me to add this large number. > > > > > > > > > > IS this the limitation of IPF or FreeBSD? How do I work > > > > > around this? > > > > > > > > Even though there are 65536 rule numbers, each number can > > > > actually have any amount of rules assigned to it. What you're > > > > probably looking for, though, is ipfw's table keyword, which > > > > uses the same radix tree lookup format as the kernel's routing > > > > tables, so it scales well to large amounts of sparse addresses. > > > > man ipfw, search for "lookup tables". > > > > > > I intend to create a ruleset file consisting of this statement: > > > > > > Ruleset > > > > > > add 2300 skipto 2301 ip from 0.0.0.0/6 to any > > > add 2400 skipto 2401 ip from any to 0.0.0.0/6 > > > add 2300 skipto 2302 ip from 4.0.0.0/6 to any > > > add 2400 skipto 2402 ip from any to 4.0.0.0/6 > > [...] > > > add 2300 skipto 2363 ip from 248.0.0.0/6 to any > > > add 2400 skipto 2463 ip from any to 248.0.0.0/6 > > > add 2300 skipto 2364 ip from 252.0.0.0/6 to any > > > add 2400 skipto 2464 ip from any to 252.0.0.0/6 > > > > > > add 2301 deny ip from 3.0.0.0/8 to any > > > add 2401 reject ip from any to 3.0.0.0/8 > > > add 2302 deny ip from 4.0.25.146/31 to any > > > add 2402 reject ip from any to 4.0.25.146/31 > > [...] > > > add 2302 deny ip from 4.18.37.16/28 to any > > > add 2402 reject ip from any to 4.18.37.16/28 > > > add 2302 deny ip from 4.18.37.128/25 to any > > > add 2402 reject ip from any to 4.18.37.128/25 > > > end ruleset > > > > > > Will the above rules block me from ssh into my remote server if > > > the ip addresses of my local pc (dynamic ip) not within any of > > > the above rules ip range as well as block my snmpd services? > > > > Yes; it's a little convoluted but should work. You want to drop > > incoming packets from the listed IP ranges, and return a "host > > unreachable" to internal machines sending outgoing packets to the > > listed IP ranges? Wouldn't it be easier to use ipfw's table > > feature and have something like this: > > > > add table 1 3.0.0.0/8 > > add table 1 4.0.25.146/31 > > add table 1 4.0.25.148/32 > > [...] > > add table 1 4.18.37.16/28 > > add table 1 4.18.37.128/25 > > add 2300 deny ip from table 1 to any > > add 2400 reject ip from any to table 1 > > > > That way you only have two ipfw rules, both of which use a single > > table lookup. > > My complete list has about 300K of lines. It takes about a few hours > just to load the rules. Will it be faster to load using the table? I did a quick test myself by fetching the safepeer ip list and adding it via rules and tables. This was a quick hack, so I'm just adding the first IP in each line, not the whole netblock (I didn't want to write a range->netmask converter). On my heavily-loaded box (currently doing a buildworld and some mrtg sweeps), I'm only able to insert about 60 ipfw "deny ip from 4.0.25.146 to any"-format rules per second. By contrast: ([EMAIL PROTECTED]) /tmp># head -3 splist1.table table 1 add 0.0.0.0 table 1 add 4.0.25.146 table 1 add 4.0.26.14 ([EMAIL PROTECTED]) /tmp># wc -l splist1.table 191637 splist1.table ([EMAIL PROTECTED]) /tmp># time ipfw /tmp/splist1.table ipfw /tmp/splist1.table: U:3.30s S:1.75s E:6.74s CPU:75% Faults:0/95 I/O:0/0 Swaps:0 ([EMAIL PROTECTED]) /tmp># ipfw table 1 list | wc -l 191637 Under 7 seconds to load all 191k entries :) -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to block 200K ip addresses?
Dan Nelson: This was a quick hack, so I'm just adding the first IP in each line, not the whole netblock (I didn't want to write a range->netmask converter). No need to do that, there is ipcalc in the ports. http://jodies.de/ipcalc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to block 200K ip addresses?
On 8/25/07, CyberLeo Kitsana <[EMAIL PROTECTED]> wrote: > Kevin Downey wrote: > > I would use the pf firewall, it has an option to file tables from a file > > like: > > > > table persist file "/root/evil.txt" > > > > [EMAIL PROTECTED] /root% wc -l evil.txt > > 178438 evil.txt > > > > so its not 300k lines but it takes seconds to load. > > I attempted something similar with a digest of a PeerGuardian database > reworked with tableutil-0.6. The resultant file had 157,546 subnet > declarations in it. > > When I attempted to populate a pf table with the file on 6.2-RELEASE, it > thought about it for a few seconds, then happily reported: > > pfctl: Cannot allocate memory. > > I never pared it down to see where the actual limit was for my hardware, > though, as a partial PeerGuardian list is pretty much useless. > > -- > Fuzzy love, > -CyberLeo > Technical Administrator this machine is amd64 so perhaps the extra address space? I dunno, evil.txt is infact more or less the peerguardian list and it loads. -- I am the kwisatz haderach ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to block 200K ip addresses?
Kevin Downey wrote: > I would use the pf firewall, it has an option to file tables from a file like: > > table persist file "/root/evil.txt" > > [EMAIL PROTECTED] /root% wc -l evil.txt > 178438 evil.txt > > so its not 300k lines but it takes seconds to load. I attempted something similar with a digest of a PeerGuardian database reworked with tableutil-0.6. The resultant file had 157,546 subnet declarations in it. When I attempted to populate a pf table with the file on 6.2-RELEASE, it thought about it for a few seconds, then happily reported: pfctl: Cannot allocate memory. I never pared it down to see where the actual limit was for my hardware, though, as a partial PeerGuardian list is pretty much useless. -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net <[EMAIL PROTECTED]> Furry Peace! - http://.fur.com/peace/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to block 200K ip addresses?
In the last episode (Aug 26), Aminuddin said: > From: Dan Nelson [mailto:[EMAIL PROTECTED] > > In the last episode (Aug 26), Aminuddin said: > > > From: Dan Nelson > > > > In the last episode (Aug 26), Aminuddin said: > > > > > How do you block this large range of ip addresses from > > > > > different subnet? IPFW only allows 65536 rules while this > > > > > will probably use up a few hundred thousands of lines. > > > > > > > > > > I'm also trying to add this into my proxy configuration file, > > > > > ss5.conf but it doesn't allow me to add this large number. > > > > > > > > > > IS this the limitation of IPF or FreeBSD? How do I work > > > > > around this? > > > > > > > > Even though there are 65536 rule numbers, each number can > > > > actually have any amount of rules assigned to it. What you're > > > > probably looking for, though, is ipfw's table keyword, which > > > > uses the same radix tree lookup format as the kernel's routing > > > > tables, so it scales well to large amounts of sparse addresses. > > > > man ipfw, search for "lookup tables". > > > > > > I intend to create a ruleset file consisting of this statement: > > > > > > Ruleset > > > > > > add 2300 skipto 2301 ip from 0.0.0.0/6 to any > > > add 2400 skipto 2401 ip from any to 0.0.0.0/6 > > > add 2300 skipto 2302 ip from 4.0.0.0/6 to any > > > add 2400 skipto 2402 ip from any to 4.0.0.0/6 > > [...] > > > add 2300 skipto 2363 ip from 248.0.0.0/6 to any > > > add 2400 skipto 2463 ip from any to 248.0.0.0/6 > > > add 2300 skipto 2364 ip from 252.0.0.0/6 to any > > > add 2400 skipto 2464 ip from any to 252.0.0.0/6 > > > > > > add 2301 deny ip from 3.0.0.0/8 to any > > > add 2401 reject ip from any to 3.0.0.0/8 > > > add 2302 deny ip from 4.0.25.146/31 to any > > > add 2402 reject ip from any to 4.0.25.146/31 > > [...] > > > add 2302 deny ip from 4.18.37.16/28 to any > > > add 2402 reject ip from any to 4.18.37.16/28 > > > add 2302 deny ip from 4.18.37.128/25 to any > > > add 2402 reject ip from any to 4.18.37.128/25 > > > end ruleset > > > > > > Will the above rules block me from ssh into my remote server if > > > the ip addresses of my local pc (dynamic ip) not within any of > > > the above rules ip range as well as block my snmpd services? > > > > Yes; it's a little convoluted but should work. You want to drop > > incoming packets from the listed IP ranges, and return a "host > > unreachable" to internal machines sending outgoing packets to the > > listed IP ranges? Wouldn't it be easier to use ipfw's table > > feature and have something like this: > > > > add table 1 3.0.0.0/8 > > add table 1 4.0.25.146/31 > > add table 1 4.0.25.148/32 > > [...] > > add table 1 4.18.37.16/28 > > add table 1 4.18.37.128/25 > > add 2300 deny ip from table 1 to any > > add 2400 reject ip from any to table 1 > > > > That way you only have two ipfw rules, both of which use a single > > table lookup. > > My complete list has about 300K of lines. It takes about a few hours > just to load the rules. Will it be faster to load using the table? I did a quick test myself by fetching the safepeer ip list and adding it via rules and tables. This was a quick hack, so I'm just adding the first IP in each line, not the whole netblock (I didn't want to write a range->netmask converter). On my heavily-loaded box (currently doing a buildworld and some mrtg sweeps), I'm only able to insert about 60 ipfw "deny ip from 4.0.25.146 to any"-format rules per second. By contrast: ([EMAIL PROTECTED]) /tmp># head -3 splist1.table table 1 add 0.0.0.0 table 1 add 4.0.25.146 table 1 add 4.0.26.14 ([EMAIL PROTECTED]) /tmp># wc -l splist1.table 191637 splist1.table ([EMAIL PROTECTED]) /tmp># time ipfw /tmp/splist1.table ipfw /tmp/splist1.table: U:3.30s S:1.75s E:6.74s CPU:75% Faults:0/95 I/O:0/0 Swaps:0 ([EMAIL PROTECTED]) /tmp># ipfw table 1 list | wc -l 191637 Under 7 seconds to load all 191k entries :) -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to block 200K ip addresses?
On 8/25/07, Aminuddin <[EMAIL PROTECTED]> wrote: > My complete list has about 300K of lines. > It takes about a few hours just to load the rules. > Will it be faster to load using the table? > > > -Original Message- > From: Dan Nelson [mailto:[EMAIL PROTECTED] > Sent: Sunday, August 26, 2007 9:37 AM > To: Aminuddin > Cc: freebsd-questions@freebsd.org > Subject: Re: How to block 200K ip addresses? > > In the last episode (Aug 26), Aminuddin said: > > From: Dan Nelson > > > In the last episode (Aug 26), Aminuddin said: > > > > How do you block this large range of ip addresses from different > > > > subnet? IPFW only allows 65536 rules while this will probably use > > > > up a few hundred thousands of lines. > > > > > > > > I'm also trying to add this into my proxy configuration file, ss5.conf > but > > > > it doesn't allow me to add this large number. > > > > > > > > IS this the limitation of IPF or FreeBSD? How do I work around this? > > > > > > Even though there are 65536 rule numbers, each number can actually have > > > any amount of rules assigned to it. What you're probably looking for, > > > though, is ipfw's table keyword, which uses the same radix tree lookup > > > format as the kernel's routing tables, so it scales well to large > > > amounts of sparse addresses. man ipfw, search for "lookup tables". > > > > I intend to create a ruleset file consisting of this statement: > > > > Ruleset > > > > add 2300 skipto 2301 ip from 0.0.0.0/6 to any > > add 2400 skipto 2401 ip from any to 0.0.0.0/6 > > add 2300 skipto 2302 ip from 4.0.0.0/6 to any > > add 2400 skipto 2402 ip from any to 4.0.0.0/6 > [...] > > add 2300 skipto 2363 ip from 248.0.0.0/6 to any > > add 2400 skipto 2463 ip from any to 248.0.0.0/6 > > add 2300 skipto 2364 ip from 252.0.0.0/6 to any > > add 2400 skipto 2464 ip from any to 252.0.0.0/6 > > > > add 2301 deny ip from 3.0.0.0/8 to any > > add 2401 reject ip from any to 3.0.0.0/8 > > add 2302 deny ip from 4.0.25.146/31 to any > > add 2402 reject ip from any to 4.0.25.146/31 > [...] > > add 2302 deny ip from 4.18.37.16/28 to any > > add 2402 reject ip from any to 4.18.37.16/28 > > add 2302 deny ip from 4.18.37.128/25 to any > > add 2402 reject ip from any to 4.18.37.128/25 > > end ruleset > > > > Will the above rules block me from ssh into my remote server if the > > ip addresses of my local pc (dynamic ip) not within any of the above > > rules ip range as well as block my snmpd services? > > Yes; it's a little convoluted but should work. You want to drop > incoming packets from the listed IP ranges, and return a "host > unreachable" to internal machines sending outgoing packets to the > listed IP ranges? Wouldn't it be easier to use ipfw's table feature > and have something like this: > > add table 1 3.0.0.0/8 > add table 1 4.0.25.146/31 > add table 1 4.0.25.148/32 > [...] > add table 1 4.18.37.16/28 > add table 1 4.18.37.128/25 > add 2300 deny ip from table 1 to any > add 2400 reject ip from any to table 1 > > That way you only have two ipfw rules, both of which use a single table > lookup. > > -- > Dan Nelson > [EMAIL PROTECTED] > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > I would use the pf firewall, it has an option to file tables from a file like: table persist file "/root/evil.txt" [EMAIL PROTECTED] /root% wc -l evil.txt 178438 evil.txt so its not 300k lines but it takes seconds to load. -- I am the kwisatz haderach ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: How to block 200K ip addresses?
My complete list has about 300K of lines. It takes about a few hours just to load the rules. Will it be faster to load using the table? -Original Message- From: Dan Nelson [mailto:[EMAIL PROTECTED] Sent: Sunday, August 26, 2007 9:37 AM To: Aminuddin Cc: freebsd-questions@freebsd.org Subject: Re: How to block 200K ip addresses? In the last episode (Aug 26), Aminuddin said: > From: Dan Nelson > > In the last episode (Aug 26), Aminuddin said: > > > How do you block this large range of ip addresses from different > > > subnet? IPFW only allows 65536 rules while this will probably use > > > up a few hundred thousands of lines. > > > > > > I'm also trying to add this into my proxy configuration file, ss5.conf but > > > it doesn't allow me to add this large number. > > > > > > IS this the limitation of IPF or FreeBSD? How do I work around this? > > > > Even though there are 65536 rule numbers, each number can actually have > > any amount of rules assigned to it. What you're probably looking for, > > though, is ipfw's table keyword, which uses the same radix tree lookup > > format as the kernel's routing tables, so it scales well to large > > amounts of sparse addresses. man ipfw, search for "lookup tables". > > I intend to create a ruleset file consisting of this statement: > > Ruleset > > add 2300 skipto 2301 ip from 0.0.0.0/6 to any > add 2400 skipto 2401 ip from any to 0.0.0.0/6 > add 2300 skipto 2302 ip from 4.0.0.0/6 to any > add 2400 skipto 2402 ip from any to 4.0.0.0/6 [...] > add 2300 skipto 2363 ip from 248.0.0.0/6 to any > add 2400 skipto 2463 ip from any to 248.0.0.0/6 > add 2300 skipto 2364 ip from 252.0.0.0/6 to any > add 2400 skipto 2464 ip from any to 252.0.0.0/6 > > add 2301 deny ip from 3.0.0.0/8 to any > add 2401 reject ip from any to 3.0.0.0/8 > add 2302 deny ip from 4.0.25.146/31 to any > add 2402 reject ip from any to 4.0.25.146/31 [...] > add 2302 deny ip from 4.18.37.16/28 to any > add 2402 reject ip from any to 4.18.37.16/28 > add 2302 deny ip from 4.18.37.128/25 to any > add 2402 reject ip from any to 4.18.37.128/25 > end ruleset > > Will the above rules block me from ssh into my remote server if the > ip addresses of my local pc (dynamic ip) not within any of the above > rules ip range as well as block my snmpd services? Yes; it's a little convoluted but should work. You want to drop incoming packets from the listed IP ranges, and return a "host unreachable" to internal machines sending outgoing packets to the listed IP ranges? Wouldn't it be easier to use ipfw's table feature and have something like this: add table 1 3.0.0.0/8 add table 1 4.0.25.146/31 add table 1 4.0.25.148/32 [...] add table 1 4.18.37.16/28 add table 1 4.18.37.128/25 add 2300 deny ip from table 1 to any add 2400 reject ip from any to table 1 That way you only have two ipfw rules, both of which use a single table lookup. -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to block 200K ip addresses?
In the last episode (Aug 26), Aminuddin said: > From: Dan Nelson > > In the last episode (Aug 26), Aminuddin said: > > > How do you block this large range of ip addresses from different > > > subnet? IPFW only allows 65536 rules while this will probably use > > > up a few hundred thousands of lines. > > > > > > I'm also trying to add this into my proxy configuration file, ss5.conf but > > > it doesn't allow me to add this large number. > > > > > > IS this the limitation of IPF or FreeBSD? How do I work around this? > > > > Even though there are 65536 rule numbers, each number can actually have > > any amount of rules assigned to it. What you're probably looking for, > > though, is ipfw's table keyword, which uses the same radix tree lookup > > format as the kernel's routing tables, so it scales well to large > > amounts of sparse addresses. man ipfw, search for "lookup tables". > > I intend to create a ruleset file consisting of this statement: > > Ruleset > > add 2300 skipto 2301 ip from 0.0.0.0/6 to any > add 2400 skipto 2401 ip from any to 0.0.0.0/6 > add 2300 skipto 2302 ip from 4.0.0.0/6 to any > add 2400 skipto 2402 ip from any to 4.0.0.0/6 [...] > add 2300 skipto 2363 ip from 248.0.0.0/6 to any > add 2400 skipto 2463 ip from any to 248.0.0.0/6 > add 2300 skipto 2364 ip from 252.0.0.0/6 to any > add 2400 skipto 2464 ip from any to 252.0.0.0/6 > > add 2301 deny ip from 3.0.0.0/8 to any > add 2401 reject ip from any to 3.0.0.0/8 > add 2302 deny ip from 4.0.25.146/31 to any > add 2402 reject ip from any to 4.0.25.146/31 [...] > add 2302 deny ip from 4.18.37.16/28 to any > add 2402 reject ip from any to 4.18.37.16/28 > add 2302 deny ip from 4.18.37.128/25 to any > add 2402 reject ip from any to 4.18.37.128/25 > end ruleset > > Will the above rules block me from ssh into my remote server if the > ip addresses of my local pc (dynamic ip) not within any of the above > rules ip range as well as block my snmpd services? Yes; it's a little convoluted but should work. You want to drop incoming packets from the listed IP ranges, and return a "host unreachable" to internal machines sending outgoing packets to the listed IP ranges? Wouldn't it be easier to use ipfw's table feature and have something like this: add table 1 3.0.0.0/8 add table 1 4.0.25.146/31 add table 1 4.0.25.148/32 [...] add table 1 4.18.37.16/28 add table 1 4.18.37.128/25 add 2300 deny ip from table 1 to any add 2400 reject ip from any to table 1 That way you only have two ipfw rules, both of which use a single table lookup. -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: How to block 200K ip addresses?
4.18.32.208/29 add 2302 deny ip from 4.18.32.224/28 to any add 2402 reject ip from any to 4.18.32.224/28 add 2302 deny ip from 4.18.34.0/27 to any add 2402 reject ip from any to 4.18.34.0/27 add 2302 deny ip from 4.18.34.136/29 to any add 2402 reject ip from any to 4.18.34.136/29 add 2302 deny ip from 4.18.34.224/29 to any add 2402 reject ip from any to 4.18.34.224/29 add 2302 deny ip from 4.18.35.16/29 to any add 2402 reject ip from any to 4.18.35.16/29 add 2302 deny ip from 4.18.35.48/28 to any add 2402 reject ip from any to 4.18.35.48/28 add 2302 deny ip from 4.18.35.200/29 to any add 2402 reject ip from any to 4.18.35.200/29 add 2302 deny ip from 4.18.35.224/27 to any add 2402 reject ip from any to 4.18.35.224/27 add 2302 deny ip from 4.18.36.0/26 to any add 2402 reject ip from any to 4.18.36.0/26 add 2302 deny ip from 4.18.37.16/28 to any add 2402 reject ip from any to 4.18.37.16/28 add 2302 deny ip from 4.18.37.128/25 to any add 2402 reject ip from any to 4.18.37.128/25 add 2302 deny ip from 4.18.38.0/24 to any end ruleset Will the above rules block me from ssh into my remote server if the ip addresses of my local pc (dynamic ip) not within any of the above rules ip range as well as block my snmpd services? -Original Message- From: Dan Nelson [mailto:[EMAIL PROTECTED] Sent: Sunday, August 26, 2007 5:14 AM To: Aminuddin Cc: freebsd-questions@freebsd.org Subject: Re: How to block 200K ip addresses? In the last episode (Aug 26), Aminuddin said: > How do you block this large range of ip addresses from different > subnet? IPFW only allows 65536 rules while this will probably use up > a few hundred thousands of lines. > > I'm also trying to add this into my proxy configuration file, ss5.conf but > it doesn't allow me to add this large number. > > IS this the limitation of IPF or FreeBSD? How do I work around this? Even though there are 65536 rule numbers, each number can actually have any amount of rules assigned to it. What you're probably looking for, though, is ipfw's table keyword, which uses the same radix tree lookup format as the kernel's routing tables, so it scales well to large amounts of sparse addresses. man ipfw, search for "lookup tables". -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to block 200K ip addresses?
In the last episode (Aug 26), Aminuddin said: > How do you block this large range of ip addresses from different > subnet? IPFW only allows 65536 rules while this will probably use up > a few hundred thousands of lines. > > I'm also trying to add this into my proxy configuration file, ss5.conf but > it doesn't allow me to add this large number. > > IS this the limitation of IPF or FreeBSD? How do I work around this? Even though there are 65536 rule numbers, each number can actually have any amount of rules assigned to it. What you're probably looking for, though, is ipfw's table keyword, which uses the same radix tree lookup format as the kernel's routing tables, so it scales well to large amounts of sparse addresses. man ipfw, search for "lookup tables". -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to block 200K ip addresses?
In response to "Aminuddin" <[EMAIL PROTECTED]>: > Hi, > How do you block this large range of ip addresses from different subnet? > IPFW only allows 65536 rules while this will probably use up a few hundred > thousands of lines. > > I'm also trying to add this into my proxy configuration file, ss5.conf but > it doesn't allow me to add this large number. > > IS this the limitation of IPF or FreeBSD? How do I work around this? Not sure if this is a limitation of ipf, but you should be able to do what you want with pf and pf tables. As long as you're using a relatively recent version of FreeBSD, you'll have pf as an option. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: How to block 200K ip addresses?
Hi, How do you block this large range of ip addresses from different subnet? IPFW only allows 65536 rules while this will probably use up a few hundred thousands of lines. I'm also trying to add this into my proxy configuration file, ss5.conf but it doesn't allow me to add this large number. IS this the limitation of IPF or FreeBSD? How do I work around this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, August 25, 2007 8:00 PM To: freebsd-questions@freebsd.org Subject: freebsd-questions Digest, Vol 191, Issue 37 Send freebsd-questions mailing list submissions to freebsd-questions@freebsd.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freebsd.org/mailman/listinfo/freebsd-questions or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of freebsd-questions digest..." Today's Topics: 1. Re: FreeBSD and ImageMagick crashes OS? (Kris Kennaway) 2. RE: spammers harvesting emaill address from this list (Ted Mittelstaedt) 3. Re: READ_DMA Error (Bahman M.) 4. Re: best way to keep track of new developments (Michel Talon) 5. Re: spammers harvesting emaill address from this list (Andrew Gould) 6. Re: /var or /usr for data? ([EMAIL PROTECTED]) 7. Mouse suddenly gets detached and reattached (Bahman M.) -- Message: 1 Date: Sat, 25 Aug 2007 05:56:59 + From: Kris Kennaway <[EMAIL PROTECTED]> Subject: Re: FreeBSD and ImageMagick crashes OS? To: Norberto Meijome <[EMAIL PROTECTED]> Cc: User Questions , Roger Olofsson <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=us-ascii On Fri, Aug 24, 2007 at 08:26:50PM +1000, Norberto Meijome wrote: > On Fri, 24 Aug 2007 11:29:59 +0200 > Roger Olofsson <[EMAIL PROTECTED]> wrote: > > > Turns out ImageMagick was called through php to resize the .JPG and most > > likely, the server runs out of memory/disk space. /var/tmp fills up and > > console spews as follows: > > > > Aug 22 19:29:49 rutilus kernel: vnode_pager_putpages: I/O error 28 > > Aug 22 19:29:49 rutilus kernel: vnode_pager_putpages: residual I/O 32768 > > at 62620 > > Aug 22 19:29:49 rutilus kernel: pid 29 (syncer), uid 0 inumber 49382 on > > /var: filesystem full > > :) having been bitten by that in several unix-like OS (pick any Linux distro, and freebsd too), i just remove /var/tmp and make a smylink to /tmp , which is big enough for my foreseeable needs. I like to keep my /var clean of tmp rubbish. > > and yes, configuring PHP and it's libraries helps too :) That's not an answer obviously. Error 28 is #define ENOSPC 28 /* No space left on device */ This seems like a bug to me: when a filesystem fills you shouldn't be getting this behaviour. Can you please follow the directions in the developers handbook chapter on kernel debugging, and when you trigger a hang, break to DDB from the console and force a dump, then file a PR and make the core file available to the developers. Unfortunately unless a developer can replicate the behaviour, providing access to a core is the only real debugging option. Thanks, Kris -- Message: 2 Date: Sat, 25 Aug 2007 00:34:30 -0700 From: "Ted Mittelstaedt" <[EMAIL PROTECTED]> Subject: RE: spammers harvesting emaill address from this list To: "Erik Trulsson" <[EMAIL PROTECTED]>, "fbsd2" <[EMAIL PROTECTED]> Cc: "[EMAIL PROTECTED] ORG" Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="US-ASCII" > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Erik Trulsson > Sent: Thursday, August 23, 2007 6:52 AM > To: fbsd2 > Cc: [EMAIL PROTECTED] ORG > Subject: Re: spammers harvesting emaill address from this list > > > For this list (freebsd-questions@) in particular it is intentionally and > explicitly the case that one does not need to be subscribed to post here. > This is because it is the main support forum for FreeBSD, and much > documentation exists directing people to ask their questions here. > > The list admins do have their priorities straight - they just > have different > priorities than you do. > Probably the list admins figure that anyone who posts here is an advanced user type who understands how to setup spam filters that work. Ted -- Message: 3 Date: Sat, 25 Aug 2007 11:52:30 +0330 From: "Bahman M." <[EMAIL PROTECTED]> Subject: Re: READ_DMA Error To: "Tamouh H." <[EMAIL PROTECTED]> Cc: freebsd-questions@freebsd.org Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1 > > During FreeBSD 6.2 installation, th
