using with big ban lists (peerguardian and so).

using with big ban lists (peerguardian and so).

[jdf [zionarea.org]]

Hi,

I was intended to use peerguardian ban list inside my iptables rules.
I've done a program in C++ to read this file and to put iptables
commands (using the system function).
However it is very very very slow (1 hour picked up a very few of
all the machines). It might be due to the fact that I don't use
the iprange. Is it true ?
Is there any way to do that in a fast manner without using iprange ?

I mean:

when I have addresses like 4.1.2.0-4.1.3.255, I need to call as much
iptables command as there are computers. iprange seems to be best
but I'm not sure if I will encounter speed up.

Thank you.

Re: using with big ban lists (peerguardian and so).

[Jason Opperisano]

On Thu, 2005-01-20 at 15:07, jdf [zionarea.org] wrote:
> Hi,
> 
> I was intended to use peerguardian ban list inside my iptables rules.
> I've done a program in C++ to read this file and to put iptables
> commands (using the system function).
> However it is very very very slow (1 hour picked up a very few of
> all the machines). It might be due to the fact that I don't use
> the iprange. Is it true ?
> Is there any way to do that in a fast manner without using iprange ?
> 
> I mean:
> 
> when I have addresses like 4.1.2.0-4.1.3.255, I need to call as much
> iptables command as there are computers. iprange seems to be best
> but I'm not sure if I will encounter speed up.
> 
> Thank you.

you may want to add network summarization capabilities to your program;
as your example "range" can be summarized as:  4.1.2.0/23...which
results in 1 rule instead of 512 rules.

i use the perl NetAddr::IP module to do things like this.

-j

--
"The only monster here is the gambling monster that has enslaved your
 mother! I call him Gamblor, and it's time to snatch your mother from
 his neon claws!"
	--The Simpsons

Re: using with big ban lists (peerguardian and so).

[Samuel Jean]

On Thu, January 20, 2005 3:07 pm, jdf [zionarea.org] said:
>
>
> Hi,

Hi!

>
> I was intended to use peerguardian ban list inside my iptables rules.

ipset 2.0 better suits your need. Only one rule is required.
http://people.netfilter.org/kadlec/ipset/

Sorry if am way out of target.

> Thank you.
>
>

HTH,

Samuel

Re: using with big ban lists (peerguardian and so).

[jdf [zionarea.org]]

Selon Jason Opperisano <opie@817west.com>:

> On Thu, 2005-01-20 at 15:07, jdf [zionarea.org] wrote:
> > Hi,
> >
> > I was intended to use peerguardian ban list inside my iptables rules.
> > I've done a program in C++ to read this file and to put iptables
> > commands (using the system function).
> > However it is very very very slow (1 hour picked up a very few of
> > all the machines). It might be due to the fact that I don't use
> > the iprange. Is it true ?
> > Is there any way to do that in a fast manner without using iprange ?
> >
> > I mean:
> >
> > when I have addresses like 4.1.2.0-4.1.3.255, I need to call as much
> > iptables command as there are computers. iprange seems to be best
> > but I'm not sure if I will encounter speed up.
> >
> > Thank you.
>
> you may want to add network summarization capabilities to your program;
> as your example "range" can be summarized as:  4.1.2.0/23...which
> results in 1 rule instead of 512 rules.

Ok. This seems well. I'll have a look at that solution.

>
> i use the perl NetAddr::IP module to do things like this.

Don't know that, I'll google it.

>
> -j
>
> --
> "The only monster here is the gambling monster that has enslaved your
>  mother! I call him Gamblor, and it's time to snatch your mother from
>  his neon claws!"
> 	--The Simpsons
>
>
>

about iprange

[jdf [zionarea.org]]

Using network addresses like 192.168.0/8 is well, but it's not granular
enough: just because we cannot provide all the addresses if they don't
follow this contiguous rule.

So I'm finally wondering about iprange. Most of linux distributions, with
the ones I know, don't provide iprange for the kernel. Are there any
performance or security issue behind this behavior ? Or is it simply a
'bad' choice of those distributors ? But maybe it's simply due to the
kernel version. It appears 2.6.x provide this option at default; but if
I remember well 2.4.x didn't.

Re: about iprange

[John A. Sullivan III]

On Tue, 2005-01-25 at 14:45 +0100, jdf [zionarea.org] wrote:
> Using network addresses like 192.168.0/8 is well, but it's not granular
> enough: just because we cannot provide all the addresses if they don't
> follow this contiguous rule.
> 
> So I'm finally wondering about iprange. Most of linux distributions, with
> the ones I know, don't provide iprange for the kernel. Are there any
> performance or security issue behind this behavior ? Or is it simply a
> 'bad' choice of those distributors ? But maybe it's simply due to the
> kernel version. It appears 2.6.x provide this option at default; but if
> I remember well 2.4.x didn't.
> 
I had asked this same question as we considered enabling iprange rule
creation for the ISCS network security management project
(http://iscs.sourceforge.net).  We were told by the patch's creator that
there is virtually no additional overhead compared to a subnet match
(assuming I understood him correctly!).

We found we needed to accommodate solutions both ways within ISCS, i.e.,
if a gateway supports iprange, we write iptables rules with ranges.  If
not, we use the logic found in SubnetCreator
(http://subnetcreator.sourceforge.net) to break the range into subnets
and then create rules for the resultant subnets.  Hope this helps - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: about iprange

[Tom Eastep]

John A. Sullivan III wrote:

> 
> We found we needed to accommodate solutions both ways within ISCS, i.e.,
> if a gateway supports iprange, we write iptables rules with ranges.  If
> not, we use the logic found in SubnetCreator
> (http://subnetcreator.sourceforge.net) to break the range into subnets
> and then create rules for the resultant subnets.

FWIW, Shorewall takes the same approach although Shorewall has it's own
code for converting a range into a list of subnets.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Re: about iprange

[jdf [zionarea.org]]

Selon "John A. Sullivan III" <jsullivan@opensourcedevelopmentcorp.com>:

> On Tue, 2005-01-25 at 14:45 +0100, jdf [zionarea.org] wrote:
> > Using network addresses like 192.168.0/8 is well, but it's not granular
> > enough: just because we cannot provide all the addresses if they don't
> > follow this contiguous rule.
> >
> > So I'm finally wondering about iprange. Most of linux distributions, with
> > the ones I know, don't provide iprange for the kernel. Are there any
> > performance or security issue behind this behavior ? Or is it simply a
> > 'bad' choice of those distributors ? But maybe it's simply due to the
> > kernel version. It appears 2.6.x provide this option at default; but if
> > I remember well 2.4.x didn't.
> >
> I had asked this same question as we considered enabling iprange rule
> creation for the ISCS network security management project
> (http://iscs.sourceforge.net).  We were told by the patch's creator that
> there is virtually no additional overhead compared to a subnet match
> (assuming I understood him correctly!).
>
> We found we needed to accommodate solutions both ways within ISCS, i.e.,
> if a gateway supports iprange, we write iptables rules with ranges.  If
> not, we use the logic found in SubnetCreator
> (http://subnetcreator.sourceforge.net) to break the range into subnets
> and then create rules for the resultant subnets.  Hope this helps - John

This helps. I'll have a look at those addresses too.
Thank you.

> --
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan@opensourcedevel.com
>
> Financially sustainable open source development
> http://www.opensourcedevel.com
>
>