[IPFW] Practical limit on the number if IPFW rules

trwzm · #1 July 19th, 2012, 08:56

I'm running a small web and email server on 32-bit FreeBSD version 9.0.
I just moved my email domains from another internet service provider, who had really great spam blocking. Now I'm seeing a lot of spam traffic coming from outside the United States. My first reaction is to block everything outside of the U.S., but that seems to be the most rule intensive, so I found a list of the U.S. IP addresses, which would require 42,445 rules. Would that size rule set be too much? If, so, does anyone have a better way?

Thanks,

-Rusty

**SirDice** · #2 July 19th, 2012, 09:42

Blocking on IP addresses is rather a futile business. Use a spamfilter.

mail/p5-Mail-SpamAssassin

TheDreamer · #3 July 19th, 2012, 15:11

Or use an RBL. We use spamhaus at work.

I also came across this Putting the Spamhaus DROP list in FreeBSD’s ipfw. Perhaps I'll I see what it would take to make it work for ipfilter, since its what we've been using on Solaris.

Think you can also do GeoIP filtering in postfix.

The Dreamer.

trwzm · #4 July 19th, 2012, 17:17

Since I get login attempts from mostly the same address blocks, it seemed logical to block those address blocks as well.

I do use RBL, which I have to check daily. It seemed like it would cut an enormous amount of traffic to catch it at the firewall.

-Rusty

kpa · #5 July 19th, 2012, 17:30

Take a look at security/sshguard-ipfw, it's originally designed to block ssh break in attempts but can be made to block based on other types of login attempts, IMAP/POP for example.

trwzm · #6 July 19th, 2012, 22:34

Thank you for the help SirDice, TheDreamer, and kpa. I have a spam filter up and running. The DROP list was a good idea and it added quite a few more addresses than I already had, which is bound to help. I did install sshguard-ipfw, which looks like it should help with security.

Thanks again,

-Rusty

qsecofr · #7 July 22nd, 2012, 05:03

Not really pertaining to ipfw, but for reducing email spam, the most helpful thing for me has been mail/milter-greylist (combined with spamassassin).

If the traffic is not hitting your smtp server port, then maybe ipfw tables would also help. Not sure if you've tried that versus blocking individual IP addresses each per rule line.

ecazamir · #8 July 22nd, 2012, 14:59

Performance-wise, it's better to use ipfw tables instead of individual 'ipfw add' lines. If the maximum table items is reached, then you can use another method: routing. zebra (from quagga suite) can add a lot of routes to a 'disc' (discard) device.
The best anti-spam approach I've used so far is:
greylisting + postfix + standards compliance checking + rbl lookups + amavisd-new ( + spamassassin ) + antivirus

**phoenix** · #9 July 27th, 2012, 09:25

Second the tables suggestion. Add the IPs to a table, then reference that table in a single IPFW rule. If you too many for a single table, then use more than one. Table lookups are very fast.

Code:

# ipfw table 1 add 1.2.3.4
# ipfw table 1 add 2.3.4.5
# ipfw table 2 add 3.4.5.0/24
# ipfw add 1 unreach host ip from table\(1\) to any in recv em0
# ipfw add 2 unreach host ip from table\(2\) to any in recv em0

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
[IPFW] Rules IPFW	djunio	Firewalls	4	June 14th, 2012 00:02
[Solved] IPFW Rules	danaeckel	Firewalls	12	April 16th, 2012 08:46
[Solved] Limit to number of ip addresses per interface	dolphinaura	Networking	2	March 19th, 2012 02:18
IPFW verbose Limit	Junaid	Firewalls	1	May 23rd, 2011 05:02
ipfw connections limit	bsdfunn	Firewalls	3	May 17th, 2011 15:21

The Following User Says Thank You to kpa For This Useful Post:
wblock@ (July 19th, 2012)