> > Here's what you do: write a utility that reads the /etc/packet.deny
> > file, and translate it into ipfwadm commands. No need to change the
> > kernel.
>
> #
> # This keeps Micro$oft garbage packets out of this machine
> #
> ipfwadm -I -f
[snip rack of f/w rules]
Having heard various (and unconvincing) horror stories about the effect
that having many firewalling rules can have on network latency, I thought
up this foolish plan: firewall modules
Compile up a (or perhaps more than one) little module with enough code in
it to handle, in an intelligent way all of the firewalling that you
require.
Compile it with -O8 (or turn the 8 on its side :), and insmod the thing so
that your rules are, in essence, hardcoded and (of course :-) written
cunningly to minimise time taken in refusing all packets from 207.68.x.x.
It is, perhaps, unacceptably hacky, but could save a few cycles every now
and then...
So -- Am I a fool, or should I make some hacking time this weekend? :)
Matthew.
-- Matthew Kirkwood | Mail: matthew.kirkwood@lmh.ox.ac.uk LMH JCR, | Web: http://www-jcr.lmh.ox.ac.uk/~weejock/ Oxford OX2 6QA, | PGP: finger weejock@ferret.lmh.ox.ac.uk England. |