# ipfw questions



## miketodd (Jan 5, 2009)

Thanking you in advance for a very specific ipfw answer...

I have been using FreeBSD, and contributing where possible, since 
version 4.0 and support a number of blind Internet users depending on FreeBSD and ipfw to reduce the challenges they must face, especially from email spoofs and other incursions that are challenges even to fully sighted persons.

The one question I have regarding ipfw is how many rules may be 
attributed to a single rule number.  The manual only states that 
multiple rules may be assigned to a single number.  I am certain that number must be less than the 4+ million possible IPv4 IP addresses that may be blocked by an IPFW rule.  But just how large a number of items may a single rule number be used to accommodate?

The main reason I am asking this is that I have been working on writing some scripts involving both ipfw and procmail to automate the process of blocking IP addresses of systems participating in making the lives of the blind users I support miserable.

Someday I may be able to identify blocks of IP addresses that need to be blocked but, right now, the only reasonable approach is to block individual IP addresses which introduces the possibility of creating very large numbers of rules that must be handled within the limits of ipfw rule numbers.

Mike Todd
President, Mike Todd Associates - http://www.MikeTodd.com
Supporting the Digital Coast

President, Internet Society Los Angeles Chapter - http://www.ISOC-LA.org
mtodd@isoc-la.org

Founder, Digital Divide Task Force, http://www.ddtf.org (undergoing updates)
miketodd@ddtf.org

Western Research Application Center, Viterbi School of Engineering,
University of Southern California

Center for Entrepreneurship and Technology Law
Pepperdine University School of Law


----------



## Lowell (Jan 5, 2009)

miketodd said:
			
		

> The one question I have regarding ipfw is how many rules may be
> attributed to a single rule number.  The manual only states that
> multiple rules may be assigned to a single number.  I am certain that number must be less than the 4+ million possible IPv4 IP addresses that may be blocked by an IPFW rule.  But just how large a number of items may a single rule number be used to accommodate?


There is no explicit limit, but performance will get quite slow when the number of rules checked for a particular packet (whether on the same rule number or not) gets large.



			
				miketodd said:
			
		

> The main reason I am asking this is that I have been working on writing some scripts involving both ipfw and procmail to automate the process of blocking IP addresses of systems participating in making the lives of the blind users I support miserable.


The way to solve this is with tables, which have been supported by ipfw for some time now, and provide a much more efficient way to check for a large number of addresses and/or networks in a single rule.  See the documentation in ipfw(), but the basic syntax is roughly, e.g.:
`% ipfw add 4000 deny ip from table(1) to any`
`% ipfw table 1 add 1.2.3.4`

For a tested example, here is a piece of my own firewall setup script:

```
${fwcmd} table 3 add 61.0.0.0/7
        ${fwcmd} add deny tcp from table\(3\) to any
```
I have a large number of other networks added to that table, which is used to block off logins from other parts of the world.


----------

