Optimizing ipfw?

[Tim Daneliuk]

On 11/23/19 3:21 PM, Karl Denninger wrote:
> 
> On 11/23/2019 15:04, Tim Daneliuk wrote:
>> On 11/23/19 11:46 AM, Michael Sierchio wrote:
>>> Don't use specific rules per CIDR block, use tables.  You can efficiently
>>> handle hundreds of thousands of CIDR blocks and IPv6 prefixes in a single
>>> table, or multiple tables.  You can assign the argument based on country
>>> code or some such. You can add and delete CIDR blocks, and even swap tables
>>> so you can do it atomically.
>> Aha!  Thanks.  So, I added this to my firewall startup code:
>>
>>   ###
>>   # Block Naughty IP Addresses/Spaces
>>   ###
>>
>>   # Use ipfw tables for efficiency
>>
>>   for addr in `cat ${NAUGHTYFILE}`
>>   do
>>     ${FWCMD} table 10 add ${addr}
>>   done
>>
>>   ${FWCMD} add deny all from table\(10\) to any via ${OIF}
>>
>>
>> ipfw show does show that new table being referenced and the table shows the IPs and CIDR blocks
>> I want stopped, but I have no affirmative proof this is working yet.
>>
>> It does, however, no longer clobber network performance as you noted.  So ... thanks again!
>>
>> P.S. Is there a way to get ipfw to dump everything it is blocking including the stuff in the table?
> 
> You can add the word "log" to that deny command (add deny log all ....)
> which will log everything that matches that line in the ipfw rule set.

Yep, that would do it, but I was hoping for something a little less
noisy like dumping an internal state table that shows number of
denies so far per IP or CIDR block.


-- 
----------------------------------------------------------------------------
Tim Daneliuk     tundra at tundraware.com
PGP Key:         http://www.tundraware.com/PGP/