i can 't start the pool without ipf and i get an i/o error when starting
ipf with the pool ruleā¦
On Tue, Mar 17, 2015 at 9:05 AM, Brad Spencer <b...@anduin.eldar.org> wrote:
>
> yea=E2=80=A6 that's what thought=E2=80=A6
>
> i did read all the man pages i could find on any bsd for the ipf tools
> and
> none mentions anything about being able to block more than one range at
> a
> time - like macros or lists or tables, etc. according to ipdeny.com
> china
> has about 5300 of those=E2=80=A6
>
> i can put all of those in the conf file of course (not the nicest way),
> but
> can the filter handle that? or is there a sound reason why ipf is not
> supposed to have the option of blocking multiple ranges in the first
> place?
>
> thanks=E2=80=A6
>
>
>
> ippool(8) and ippool(5), perhaps???
>
>
> Fill a pool with a range and associate it with a IPF rule.
>
>
> An example I use:
>
> block in log on vlan3 proto tcp from hash/blocklist to any port = 22
>
>
> where blocklist is a hash defined in /etc/ippool.conf
>
> table role = ipf type = hash name = blocklist size = 20000
> {
> 124.207.29.185/32;
> 191.234.22.127/32;
> 175.44.10.118/32;
> .
> .
> .
>
> I probably wrote something for /etc/rc.d to manage setting up the ippool
> on boot. I seem to recall some sort of chicken-and-egg issue with having
> the pool set up before ipf starts. I think that ipf must be enabled
> before the pool can be set up, but that won't quite work right, as the ipf
> rules use the pool. I think I just reinited the pool twice on boot, but I
> don't exactly remember.
>
> The pools are dynamic and can be changed at run time, support subnets,
> etc.. and this ability has existed since at least 4.0.
>
>
>
> --
> Brad Spencer - b...@anduin.eldar.org - KC8VKS
> http://anduin.eldar.org - & - http://anduin.ipv6.eldar.org [IPv6 only]
>
