[geeks] .hk, .cn, .info considered harmful
Phil Stracchino
alaric at metrocast.net
Thu Jun 5 09:18:07 CDT 2008
Jonathan C. Patschke wrote:
> On Thu, 5 Jun 2008, Phil Stracchino wrote:
>
>> Problem: What netblocks to actually block. I managed to find one site
>> offering a list of .cn and .hk netblocks; the combined total is over
>> 10k, gzipped. There's got to be a better solution than that.
>
> Possibly not. You can set up pf to use tables that reference external
> files. This method is reasonably efficient. I'd be shocked if the pf
> code iterates through every entry the tables for each packet; I'd assume
> that the table data is hashed somehow to minimize excessive compares.
>
> So, you could have something like:
> table <china> persist file "/etc/CN-cidr.txt"
> table <hongkong> persist file "/etc/HK-cidr.txt"
Aha! I didn't know that was possible. That looks like my solution,
right there. Thanks!
--
Phil Stracchino, CDK#2 DoD#299792458 ICBM: 43.5607, -71.355
alaric at caerllewys.net alaric at metrocast.net phil at co.ordinate.org
Renaissance Man, Unix ronin, Perl hacker, Free Stater
It's not the years, it's the mileage.
More information about the geeks
mailing list