yea… that's what thought… i did read all the man pages i could find on any bsd for the ipf tools and none mentions anything about being able to block more than one range at a time - like macros or lists or tables, etc. according to ipdeny.com china has about 5300 of those…
i can put all of those in the conf file of course (not the nicest way), but can the filter handle that? or is there a sound reason why ipf is not supposed to have the option of blocking multiple ranges in the first place? thanks… On Mon, Mar 16, 2015 at 3:57 PM, el kalin <ka...@el.net> wrote: > ok so… it appears to me that ipf does't have an easy way to load files > with a large number of subnets. in pf i can do: > > table <blocked_zones> persist file "/etc/pf-files/blocked_zones" > > and it will load a file with all the chinese ip ranges. and then i can block > on <blocked_zones>. how do i do that in ipf?! > > thanks > > > On Sat, Mar 14, 2015 at 7:14 AM, Manuel Bouyer <bou...@antioche.eu.org> > wrote: > >> On Fri, Mar 13, 2015 at 11:25:50PM -0400, el kalin wrote: >> > it didn't work. this is what happened: >> > >> > # sysctl net.inet.tcp.tso=0 >> > sysctl: fourth level name 'tso' in 'net.inet.tcp.tso' is invalid >> >> yes, this sysctl doesn't exist on netbsd. >> >> > >> > is there any firewall / packet filter that would work on the netbsd 6 >> ec2 >> > image? anyone? >> >> ipf works and is compiled by default in the kernel. >> >> -- >> Manuel Bouyer <bou...@antioche.eu.org> >> NetBSD: 26 ans d'experience feront toujours la difference >> -- >> > >
