[contribteam] [Bug 10749] too many countries specified iptables error

Mon, 04 Mar 2019 19:50:40 -0800 

https://bugs.contribs.org/show_bug.cgi?id=10749

--- Comment #4 from Jean-Philippe Pialasse <[email protected]> ---
(In reply to mab974 from comment #2)
> Option 2 could be the best:
> no future limitation and possibility of retrieving the country code directly
> from the log file.
> But I can't appreciate the impact in terms of performance between the
> different options.
could also be a mix, remove the limit or top it to 50, as there is about 150
countries, it is still a good compromise to ban 1/3 of the world.

moving in a separate chain would need some rethinking, but could allow to
reload the chain without restarting the whole firewall. The way it is done for
TCP:
INPUT => InboundTCP =>InboundTCP_XXXX

anyway only one thing to do to know, test

my guess is that was reduce to 15 to fit to ARM processor or small appliances
acting as firewall.


(In reply to Catton from comment #3)
> Another question.
> I noticed that Fail2Ban is at the top of the Chain INPUT and my
> 40DenyRiffRaff-INPUT is further down and Xt geoip is near the bottom.
> With this configuration, it would seem I could add exceptions in
> 40DenyRiffRaff - either ACCEPT or DROP. 
> yes?
> 
> iptables -nL|less   -----------with IPs added in
> /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff-INPUT
> 
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> Fail2Ban   all  --  0.0.0.0/0            0.0.0.0/0
> state_chk  all  --  0.0.0.0/0            0.0.0.0/0
> local_chk  all  --  0.0.0.0/0            0.0.0.0/0
> PPPconn    all  --  0.0.0.0/0            0.0.0.0/0
> denylog    all  --  224.0.0.0/4          0.0.0.0/0
> denylog    all  --  0.0.0.0/0            224.0.0.0/4
> ACCEPT     all  --  5.44.100.0/23        0.0.0.0/0
> ACCEPT     all  --  8.0.0.0/9            0.0.0.0/0
> ACCEPT     all  --  8.16.0.0/15          0.0.0.0/0
> ACCEPT     all  --  11.0.0.0/13          0.0.0.0/0
> ACCEPT     all  --  11.8.0.0/14          0.0.0.0/0
> ACCEPT     all  --  12.0.0.0/8           0.0.0.0/0

I would strongly avoid to accept blindly that many IPs that way ... but
theoretically you could. you could also start to fight for the first raw before
Fail2Ban and accept before it... but do we want to do that ?

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
_______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail [email protected]
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/

Reply via email to