Practical limit on the number if IPFW rules

[trwzm]

I'm running a small web and email server on 32-bit FreeBSD version 9.0.
I just moved my email domains from another internet service provider, who had really great spam blocking. Now I'm seeing a lot of spam traffic coming from outside the United States. My first reaction is to block everything outside of the U.S., but that seems to be the most rule intensive, so I found a list of the U.S. IP addresses, which would require 42,445 rules. Would that size rule set be too much? If, so, does anyone have a better way?

Thanks,

-Rusty

 

[SirDice]

Blocking on IP addresses is rather a futile business. Use a spamfilter.

mail/p5-Mail-SpamAssassin

 

[TheDreamer]

Or use an RBL. We use spamhaus at work.

I also came across this Putting the Spamhaus DROP list in FreeBSD’s ipfw. Perhaps I'll I see what it would take to make it work for ipfilter, since its what we've been using on Solaris.

Think you can also do GeoIP filtering in postfix.

The Dreamer.

 

[trwzm]

Since I get login attempts from mostly the same address blocks, it seemed logical to block those address blocks as well.

I do use RBL, which I have to check daily. It seemed like it would cut an enormous amount of traffic to catch it at the firewall.

-Rusty

 

[kpa]

Take a look at security/sshguard-ipfw, it's originally designed to block ssh break in attempts but can be made to block based on other types of login attempts, IMAP/POP for example.

 

[trwzm]

Thank you for the help SirDice, TheDreamer, and kpa. I have a spam filter up and running. The DROP list was a good idea and it added quite a few more addresses than I already had, which is bound to help. I did install sshguard-ipfw, which looks like it should help with security.

Thanks again,

-Rusty

 

[qsecofr]

Not really pertaining to ipfw, but for reducing email spam, the most helpful thing for me has been mail/milter-greylist (combined with spamassassin).

If the traffic is not hitting your smtp server port, then maybe ipfw tables would also help. Not sure if you've tried that versus blocking individual IP addresses each per rule line.

 

[ecazamir]

Performance-wise, it's better to use ipfw tables instead of individual 'ipfw add' lines. If the maximum table items is reached, then you can use another method: routing. zebra (from quagga suite) can add a lot of routes to a 'disc' (discard) device.
The best anti-spam approach I've used so far is:
greylisting + postfix + standards compliance checking + rbl lookups + amavisd-new ( + spamassassin ) + antivirus

 

[phoenix]

Second the tables suggestion. Add the IPs to a table, then reference that table in a single IPFW rule. If you too many for a single table, then use more than one. Table lookups are very fast.

# ipfw table 1 add 1.2.3.4
# ipfw table 1 add 2.3.4.5
# ipfw table 2 add 3.4.5.0/24
# ipfw add 1 unreach host ip from table\(1\) to any in recv em0
# ipfw add 2 unreach host ip from table\(2\) to any in recv em0