On Sunday 13 October 2002 12:50 pm, Phil Howard wrote: > I would like to know how best to block 10000's of addresses using > netfilter. Clearly I do not want to be placing 10000's of individual > filter table entries in. Sounds like an incompatible set of requirements. If you want to block 10000 addresses (and assuming they don't fit into contiguous network ranges) then you need 10000 rules to be able to specify what you want to block. Why don't you want 10000 rules on your netfilter box ? Have you tried it and found it causes any problems ? > Is there some kind of means to set up the > equivalent of a routing table like lookup structure (which can be > added to and removed from separately) which a single netfilter rule > would reference to apply matches? Set up source routing and send the packets to a separate netfilter box whose sole purpose is to eat packets ? > I want to block _incoming_ packets. Null routing these addresses is > not sufficient, as the lame SYNs will continue to eat up resources. I don't understand that last part. If you null route packets, surely there's no destination for the SYNs, therefore no half-open connections get set up ? Antony. -- Never write it in Perl if you can do it in Awk. Never do it in Awk if sed can handle it. Never use sed when tr can do the job. Never invoke tr when cat is sufficient. Avoid using cat whenever possible.
