Re: net.inet.tcp.tso=0

[el kalin <kalin%el.net@localhost>]

yea…  that's what thought…

i did read all the man pages i could find on any bsd for the ipf tools and none mentions anything about being able to block more than one range at a time - like macros or lists or tables, etc. according to ipdeny.com china has about 5300 of those… 

i can put all of those in the conf file of course (not the nicest way), but can the filter handle that? or is there a sound reason why ipf is not supposed to have the option of blocking multiple ranges in the first place?

thanks… 

 

On Mon, Mar 16, 2015 at 3:57 PM, el kalin <kalin%el.net@localhost> wrote:

ok so…  it appears to me that ipf does't have an easy way to load files with a large number of subnets. in pf i can do:

table <blocked_zones> persist file "/etc/pf-files/blocked_zones"

and it will load a file with all the chinese ip ranges. and then i can block on  <blocked_zones>.  how do i do that in ipf?!

thanks 

On Sat, Mar 14, 2015 at 7:14 AM, Manuel Bouyer <bouyer%antioche.eu.org@localhost> wrote:

On Fri, Mar 13, 2015 at 11:25:50PM -0400, el kalin wrote:
> it didn't work. this is what happened:
>
> # sysctl net.inet.tcp.tso=0
> sysctl: fourth level name 'tso' in 'net.inet.tcp.tso' is invalid

yes, this sysctl doesn't exist on netbsd.

>
> is there any firewall / packet filter that would work on the netbsd 6 ec2
> image? anyone?

ipf works and is compiled by default in the kernel.

--
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--