NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: net.inet.tcp.tso=0



i think i got it…

the ipf needs to run first. so i start it with the rule to block the hash of ranges like this:

block in quick on if0 from hash/666 to any

this complains that: ioctl(add/insert rule): No such process

ignoring this for now and starting ippool. after ippool loads the hash (confirmed with ippool -l) then i do:

ipf -Fa -f /path/to/ipf.conf

that flushes/reloads the rules and this time the rule that looks for the hash is found… ipfstat confirms the rule is in place.

i guess this sequence can also go like this (if ipf is not running):

ipf -E
ippool -f /path/to/ippool.conf
ipf -f /path/to/ipf.conf

but the one above worked for me…  so far so good….  will see how it holds… 

so, yea….  thanks, brad, for the pointer… 


On Wed, Mar 18, 2015 at 11:08 AM, el kalin <kalin%el.net@localhost> wrote:

i can 't start the pool without ipf and i get an i/o error when starting ipf with the pool rule… 
 

On Tue, Mar 17, 2015 at 9:05 AM, Brad Spencer <brad%anduin.eldar.org@localhost> wrote:

   yea=E2=80=A6  that's what thought=E2=80=A6

   i did read all the man pages i could find on any bsd for the ipf tools and
   none mentions anything about being able to block more than one range at a
   time - like macros or lists or tables, etc. according to ipdeny.com china
   has about 5300 of those=E2=80=A6

   i can put all of those in the conf file of course (not the nicest way), but
   can the filter handle that? or is there a sound reason why ipf is not
   supposed to have the option of blocking multiple ranges in the first place?

   thanks=E2=80=A6



ippool(8) and ippool(5), perhaps???


Fill a pool with a range and associate it with a IPF rule.


An example I use:

block in log on vlan3 proto tcp from hash/blocklist to any port = 22


where blocklist is a hash defined in /etc/ippool.conf

table role = ipf type = hash name = blocklist size = 20000
{
124.207.29.185/32;
191.234.22.127/32;
175.44.10.118/32;
.
.
.

I probably wrote something for /etc/rc.d to manage setting up the ippool
on boot.  I seem to recall some sort of chicken-and-egg issue with having
the pool set up before ipf starts.  I think that ipf must be enabled
before the pool can be set up, but that won't quite work right, as the ipf
rules use the pool.  I think I just reinited the pool twice on boot, but I
don't exactly remember.

The pools are dynamic and can be changed at run time, support subnets,
etc.. and this ability has existed since at least 4.0.



--
Brad Spencer - brad%anduin.eldar.org@localhost - KC8VKS
http://anduin.eldar.org  - & -  http://anduin.ipv6.eldar.org [IPv6 only]




Home | Main Index | Thread Index | Old Index