On 2004-11-21 13:16, Ciprian BADESCU <cbadescu@aspc.cs.utt.ro> wrote: > > On Sat, Nov 20, 2004 at 01:32:15PM -0500, Francisco Reyes wrote: > >> I have a grown list of IPs that I am "deny ip from ###.### to any". > >> Infected machines, hackers, etc.. > >> > >> Is there a way to have this list outside of rc.firewall and just > >> read it in? > > from man ipfw > > LOOKUP TABLES > Lookup tables are useful to handle large sparse address sets, typically > from a hundred to several thousands of entries. There could be 128 > different lookup tables, numbered 0 to 127. > [...] here is an example: [...] > To set the table you could use a file /etc/badboys > and a short shell script executed before the table denying rules: > for i in `cat /etc/badboys`; do ${fwcmd} table 0 add $i; done; If the table is going to grow at least a few thousand entries you might hit the command line length limit. Try something like this instead: while read ipaddr ;do ${fwcmd} table 0 add "${ipaddr}" done < /etc/badhosts Getting the lines one by one can be bit slow but it's more flexible. Another good idea may be to use a custom awk script to parse the badhosts file and ``generate'' sh(1) code that is run to populate the table: badtable=0 fwcmcd="ipfw -q" awk -v fwcmd="${fwcmd}" -v tab="${badtable}" \ '! /^[ ]*#/ { printf "%s table %d add %s", fwcmd, tab, $1 }' | sh This is probably going to be a bit faster than while read ... - Giorgos _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"