i think i got it…
the ipf needs to run first. so i start it with the rule to block the hash
of ranges like this:
block in quick on if0 from hash/666 to any
this complains that: ioctl(add/insert rule): No such process
ignoring this for now and starting ippool. after ippool loads the hash
(confirmed with ippool -l) then i do:
ipf -Fa -f /path/to/ipf.conf
that flushes/reloads the rules and this time the rule that looks for the
hash is found… ipfstat confirms the rule is in place.
i guess this sequence can also go like this (if ipf is not running):
ipf -E
ippool -f /path/to/ippool.conf
ipf -f /path/to/ipf.conf
but the one above worked for me… so far so good…. will see how it holds…
so, yea…. thanks, brad, for the pointer…
On Wed, Mar 18, 2015 at 11:08 AM, el kalin <ka...@el.net> wrote:
>
> i can 't start the pool without ipf and i get an i/o error when starting
> ipf with the pool rule…
>
>
> On Tue, Mar 17, 2015 at 9:05 AM, Brad Spencer <b...@anduin.eldar.org>
> wrote:
>
>>
>> yea=E2=80=A6 that's what thought=E2=80=A6
>>
>> i did read all the man pages i could find on any bsd for the ipf tools
>> and
>> none mentions anything about being able to block more than one range
>> at a
>> time - like macros or lists or tables, etc. according to ipdeny.com
>> china
>> has about 5300 of those=E2=80=A6
>>
>> i can put all of those in the conf file of course (not the nicest
>> way), but
>> can the filter handle that? or is there a sound reason why ipf is not
>> supposed to have the option of blocking multiple ranges in the first
>> place?
>>
>> thanks=E2=80=A6
>>
>>
>>
>> ippool(8) and ippool(5), perhaps???
>>
>>
>> Fill a pool with a range and associate it with a IPF rule.
>>
>>
>> An example I use:
>>
>> block in log on vlan3 proto tcp from hash/blocklist to any port = 22
>>
>>
>> where blocklist is a hash defined in /etc/ippool.conf
>>
>> table role = ipf type = hash name = blocklist size = 20000
>> {
>> 124.207.29.185/32;
>> 191.234.22.127/32;
>> 175.44.10.118/32;
>> .
>> .
>> .
>>
>> I probably wrote something for /etc/rc.d to manage setting up the ippool
>> on boot. I seem to recall some sort of chicken-and-egg issue with having
>> the pool set up before ipf starts. I think that ipf must be enabled
>> before the pool can be set up, but that won't quite work right, as the ipf
>> rules use the pool. I think I just reinited the pool twice on boot, but I
>> don't exactly remember.
>>
>> The pools are dynamic and can be changed at run time, support subnets,
>> etc.. and this ability has existed since at least 4.0.
>>
>>
>>
>> --
>> Brad Spencer - b...@anduin.eldar.org - KC8VKS
>> http://anduin.eldar.org - & - http://anduin.ipv6.eldar.org [IPv6 only]
>>
>
>
