blocking a string in a packet using ipfw
Phil Regnauld
regnauld at catpipe.net
Thu Sep 14 06:47:31 PDT 2006
Willem Jan Withagen (wjw) writes:
>
> Now I'm pretty shure that ipfw does not stretch indefinitely to contain
> perhaps something like 100.000 ip-numbers (would be a nice test. :) )
Actually, it should.
> So I'd
> like to see if there is something to do with divert and some matching on a
> string in the packet to drop those packets.
That will be quite expensive. Ideally ipfw/pf should allow for inspecting
the contents of a packet (offset,value,[offset,value]) without leaving
kernel space.
> That would prevent me from having humongous set of rules in ipfw.
>
> Or any other suggestion that would make sense.
Using pf with a table, and in ipfw as well, you can handle very large
lists of IP addresses.
More information about the freebsd-net
mailing list