On Mon, Mar 24, 2008 at 11:34:58PM +0000, Paul Vixie wrote:
i only use or recommend operating systems that have their own host based firewalls. soon that will mean pf (from openbsd but available on freebsd) but right now that means ipfw. ipfw has a "table" construct which uses a data structure similar to the kernel's routing table. with a little bit of tuning, and using X86_64 to get more kernel memory map space than I386, i've listed every member of 60K-node botnets in a table whose only use is "if a SYN comes from here, silently drop it with no ICMP response". with more tuning work, a 200K-node botnet would pose no problem. we populate these tables with a perl script that watches the apache server's logfiles.
Even on an untuned fbsd i386, I had success with an ipfw table with well over 1e6 entries. What finally broke was doing a table list, possibly because the command prints in sorted order. No performance problems were observed at my limited volume of perhaps 30000 hits per day. -- Barney Wolff I never met a computer I didn't like.