Re: IP range in pf.conf table.

[Nick Holland <nick_(_at_)_holland-consulting_(_dot_)_net>]

Jason Crawford wrote:
> Is there a way to list a range of IP addresses (not in CIDR format) in
> a table in pf.conf for OpenBSD 3.6? The only way to specify a range
> that I saw in the man page was in CIDR format, however 192.168.10.100
> - 192.168.10.199 isn't a valid range in CIDR format. I need to
> restrict that range to a max of 300,000 state table entries. I have
> configured pf to allow a max of 350,000 states, however the range 100
> - 199 are doing A LOT of scans, and I don't want that range to lock
> out everyone else. At this point, I  just have every single IP in a
> table and restricting it that way, however I'd like to just put in a
> range. That many states is neccessary, as I saw the state table go
> from 50,000 to 93,000 states in a matter of seconds, so I figured
> 300,000 should be good enough, and would leave 50,000 for the rest of
> the IP addresses. A few specs on the firewall, pIII 1GHz with 512MB
> ram using fxp ethernet cards, and the other 6 firewalls (7 total
> firewalls with mesh vpn setup) all running the same except one which
> has 1.4GHz 512MB ram and em cards. OpenBSD 3.6 has been performing
> very well, with no major issues, especially considering the volume of
> traffic (I'm talking pps, not bps) going through these firewalls.
> 
> Jason

A sick and convoluted way...
  ...100/30   (100-103)
  ...104/29   (104-111)
  ...112/28   (112-127)
  ...128/26   (128-191)
  ...192/29   (192-199)

but, only five entries... :)
(not responsible for the probable slipped bit in there.  I could never
keep decimal point right, in any base...)

Somewhat more practically speaking... PF handles tables well.  That's
the secret to OpenBSD's spamd -- that you really can handle thousands
and thousands of individual IP addresses efficiently.  A hundred is no
sweat.

Back to my taxes now, where I should have been, rather than figuring out
the above...

Nick.