i can 't start the pool without ipf and i get an i/o error when starting ipf with the pool rule…On Tue, Mar 17, 2015 at 9:05 AM, Brad Spencer <brad%anduin.eldar.org@localhost> wrote:
yea=E2=80=A6 that's what thought=E2=80=A6
i did read all the man pages i could find on any bsd for the ipf tools and
none mentions anything about being able to block more than one range at a
time - like macros or lists or tables, etc. according to ipdeny.com china
has about 5300 of those=E2=80=A6
i can put all of those in the conf file of course (not the nicest way), but
can the filter handle that? or is there a sound reason why ipf is not
supposed to have the option of blocking multiple ranges in the first place?
thanks=E2=80=A6
ippool(8) and ippool(5), perhaps???
Fill a pool with a range and associate it with a IPF rule.
An example I use:
block in log on vlan3 proto tcp from hash/blocklist to any port = 22
where blocklist is a hash defined in /etc/ippool.conf
table role = ipf type = hash name = blocklist size = 20000
{
124.207.29.185/32;
191.234.22.127/32;
175.44.10.118/32;
.
.
.
I probably wrote something for /etc/rc.d to manage setting up the ippool
on boot. I seem to recall some sort of chicken-and-egg issue with having
the pool set up before ipf starts. I think that ipf must be enabled
before the pool can be set up, but that won't quite work right, as the ipf
rules use the pool. I think I just reinited the pool twice on boot, but I
don't exactly remember.
The pools are dynamic and can be changed at run time, support subnets,
etc.. and this ability has existed since at least 4.0.
--
Brad Spencer - brad%anduin.eldar.org@localhost - KC8VKS
http://anduin.eldar.org - & - http://anduin.ipv6.eldar.org [IPv6 only]