[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IP range in pf.conf table.

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: IP range in pf.conf table.
From: Jason Crawford <jasonrcrawford_(_at_)_gmail_(_dot_)_com>
Date: Tue, 12 Apr 2005 09:39:07 -0400
Reply-to: Jason Crawford <jasonrcrawford_(_at_)_gmail_(_dot_)_com>

Is there a way to list a range of IP addresses (not in CIDR format) in
a table in pf.conf for OpenBSD 3.6? The only way to specify a range
that I saw in the man page was in CIDR format, however 192.168.10.100
- 192.168.10.199 isn't a valid range in CIDR format. I need to
restrict that range to a max of 300,000 state table entries. I have
configured pf to allow a max of 350,000 states, however the range 100
- 199 are doing A LOT of scans, and I don't want that range to lock
out everyone else. At this point, I  just have every single IP in a
table and restricting it that way, however I'd like to just put in a
range. That many states is neccessary, as I saw the state table go
from 50,000 to 93,000 states in a matter of seconds, so I figured
300,000 should be good enough, and would leave 50,000 for the rest of
the IP addresses. A few specs on the firewall, pIII 1GHz with 512MB
ram using fxp ethernet cards, and the other 6 firewalls (7 total
firewalls with mesh vpn setup) all running the same except one which
has 1.4GHz 512MB ram and em cards. OpenBSD 3.6 has been performing
very well, with no major issues, especially considering the volume of
traffic (I'm talking pps, not bps) going through these firewalls.

Jason

Follow-Ups:
- Re: IP range in pf.conf table.
  - From: Nick Holland

Prev by Date: spamd, greylisting and bad MTA's
Next by Date: Re: Network performance openbsd 3.6
Previous by thread: Re: spamd, greylisting and bad MTA's
Next by thread: Re: IP range in pf.conf table.
Index(es):
- Date
- Thread

Visit your host, monkey.org