Optimizing ipfw?
Tim Daneliuk
tundra at tundraware.com
Sat Nov 23 21:05:41 UTC 2019
On 11/23/19 11:46 AM, Michael Sierchio wrote:
> Don't use specific rules per CIDR block, use tables. You can efficiently
> handle hundreds of thousands of CIDR blocks and IPv6 prefixes in a single
> table, or multiple tables. You can assign the argument based on country
> code or some such. You can add and delete CIDR blocks, and even swap tables
> so you can do it atomically.
Aha! Thanks. So, I added this to my firewall startup code:
###
# Block Naughty IP Addresses/Spaces
###
# Use ipfw tables for efficiency
for addr in `cat ${NAUGHTYFILE}`
do
${FWCMD} table 10 add ${addr}
done
${FWCMD} add deny all from table\(10\) to any via ${OIF}
ipfw show does show that new table being referenced and the table shows the IPs and CIDR blocks
I want stopped, but I have no affirmative proof this is working yet.
It does, however, no longer clobber network performance as you noted. So ... thanks again!
P.S. Is there a way to get ipfw to dump everything it is blocking including the stuff in the table?
More information about the freebsd-questions
mailing list