[ previous ] [ next ] [ threads ]
 From:  Kris Maglione <bsdaemon at comcast dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] loadable block lists
 Date:  Wed, 14 Sep 2005 17:42:14 -0400
Peter wrote:

>Way too much traffic for that. I did try http://phprbl.init1.nl/ but lookups are to slow. All those
types of options require the server to do more work and dns lookups. My current system is very
efficient but it would be better to deny the request at the firewall level.
The only thing that I can recommend for m0n0wall is to have someone
write a patch to bulk add the rules that you want. As long as we're
using ipf, it seems like a bad option to let people bulk load ips for a
particular rule, since it requires a separate rule for each one, and
people are likely to wind up shooting themselves in the foot.

If m0n0wall used pf, which, unfortunately, it doesn't, it would be a
simple matter of making a table of all of the IPs and writing a block
rule for it. That approach would be fast and efficient. If your server
is BSD (which I would surmise that it's not) you could run a local pf
firewall for that express purpose.

There's one other option that I can think of, and that's using a program
like curl to post each rule to the firewall_rules_edit.php. It's
probably the simplest way. It still has the performance implications
mentioned before.