Hi there, On Thu, 27 Oct 2011 Michelle Konzack wrote:
> Am 2011-10-17 13:28:43, hacktest Du folgendes herunter: > > > ... I found that setting up iptables to do drops for known bad > > IPs/ranges was slightly better as the traffic never gets to BIND > > ... > > Example rules for various IPs that have annoyed me in the past: > > -A RH-Firewall-1-INPUT -s 68.222.240.22 -j DROP > > -A RH-Firewall-1-INPUT -s 203.142.82.222 -j DROP > > -A RH-Firewall-1-INPUT -s 217.54.97.137 -j DROP > > -A RH-Firewall-1-INPUT -s 217.219.20.226 -j DROP > > -A RH-Firewall-1-INPUT -s 218.212.248.7 -j DROP > > ...and you get the hell on you ass if you have several 1000 of them! > In this case, bind9 with RPZ is cheaper. Maybe look at ipsets. Currently we firewall almost 76,000 networks. [root@mail3 ~]# ipset -L | grep -v BLOCK | wc -l 75845 -- 73, Ged. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
