--On Wednesday, October 07, 2020 3:23 PM -0400 Rich Brown
<[email protected]> wrote:
I'm also aware of ipset, which I take to be an optimized alternative to
searching a long set of iptables rules (true?) I don't believe that my
OpenVZ VPS has kernel support for this, so as long as the
long-list-of-rules seems to work well, I'm going to leave it alone.
A quick google of "OpenVZ ipset" turned up a thread from 3 years ago
suggesting it's in their kernel:
<https://forum.openvz.org/index.php?t=rview&goto=53549&th=13604>
Note that ipset operates in addition to iptables. Other kernel subsystems
can also use them. iptables has a module to query an ipset.
500 rules is a lot to search linearly. I'd think a hash table would give
much superior performance. Note that every "good" packet has to check ALL
the blocking rules to be approved.
I use ipsets to block probes to my mail servers from outside the country
and from cloud services. I've managed to find a few sources of lists for
those. I also use ipset with fail2ban.
The only complicated part is how to handle reboots or other service
restarts. I use firewalld which does its own ipset management so I put the
permanent lists there. (I have scripts to convert the cloud lists to a
firewalld's XML format for its ipset storage.) fail2ban keeps its own block
database in a sqlite file and tears down and recreates its ipsets on
restart.
_______________________________________________
Bloat mailing list
[email protected]
https://lists.bufferbloat.net/listinfo/bloat
