#此前在首页部分显示#
On Tue, Aug 24, 2004 at 10:55:13PM +0200, Simon L. Nielsen wrote:
> On 2004.08.24 11:17:39 -0500, Chris wrote:
> > I'm working with a friend of mine w/ipfw. Below are IP's that are trying
> > to hack in via ssh. I suggested to use something in the form of:
> >
> > # Allow in SFTP, SSH, and SCP from public Internet
> > ${fwcmd} add 090 pass log tcp from xxx.xxx.xxx.xxx/29 to ${ip} 22 setup
> > limit src-addr 4
> >
> > But he mentions that he needs access to his box from potential client
> > sites where the IP is unknown.
> >
> > There has to be a better way to block the below - suggestions?
>
> If you use FreeBSD -CURRENT or -STABLE (newer than 4.10 and 5.2) you
> could use the new table feature. Otherwise if you use ipfw2 you could
> use "or-blocks" e.g.
>
> ipfw deny ip from { 1.2.4.5 or 1.2.4.7 or 1.2.5.7 } to any
Good call, but unfortunately, this is not very good in performance either..
If you use latest kernel, your ipfw2 should have the lookup tables patch which
uses radix lookup. { blah or bleh or x or y or z } list is a linear lookup,
causing the system to lookup twice in linear fassion to come to a match. It is
not exactly any better in terms of performance efficiency than adding hundreds
of straight ipfw rules each with a ip address specification.
Try this if you have tables feature:
ipfw table 1 add x.x.x.x/32
ipfw table 1 add x.x.x.x/32
ipfw table 1 add x.x.x.x/32
ipfw table 1 add x.x.x.x/32
ipfw table 1 add x.x.x.x/32
ipfw table 1 add x.x.x.x/32
ipfw table 1 add x.x.x.x/32
ipfw table 1 add x.x.x.x/32
ipfw table 1 add x.x.x.x/32
ipfw table 1 add x.x.x.x/32
ipfw table 1 add x.x.x.x/32
ipfw add 300 deny ip from table(1) to any
No matter how many elements you got in table 1, due to radix/patricia trie
lookup as with kernel routing table, the time spent in looking thru firewall
elements is O(32) constant.
To demonstrate the efficiency:
Test #1: Start with 1 ipfw rule (the last rule 65535 being allow all) that
denies one ip address on the DUT. Flood the remote tester device that is not
denied by the ipfw rule. Start the test, and increment the ipfw rules from 1
to 10. Result:
1 rule: 140kpps
2 rule: 140kpps
3 rule: 138kpps
4 rule: 137kpps
5 rule: 135kpps
6 rule: 135kpps
7 rule: 132kpps
8 rule: 133kpps
9 rule: 131kpps
10 rule: 129kpps
Test #2: Perform the exact same test above, however use a lookup table to store
the elements from 1 to 10:
1 element in table: 140kpps
2 element in table: 140kpps
3 element in table: 140kpps
4 element in table: 141kpps
5 element in table: 140kpps
6 element in table: 139kpps
7 element in table: 140kpps
8 element in table: 142kpps
9 element in table: 140kpps
10 element in table: 140kpps
No comments:
Post a Comment