On Mon, 13 Jul 2009, Maik Holtkamp wrote: > I decided to follow this and on the weekend iptables blocked about 70 > IPs. I am afraid that after some time the box will be DOSed by the > crowded INPUT chain.
The only _real_ fix for that is to use IPSET (patch for netfilter) to deal with IPv4, and config portsentry to run a script that just adds IPs to the proper set you used to block stuff. You can even add them with a builtin "expire" time, so that they get unblocked three days after they were inserted, or whatever... I really wish IPSET was merged upstream, but it must be lacking something fundamental to earn that right (IPv6 support, perhaps?), since it has been around for a long time now, and it is fully maintained. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
