Am 21.06.2024 um 10:46:02 Uhr schrieb L. Mark Stone via mailop: > It's not uncommon for us to be blocking 30K-50K IP addresses, with no > performance issues. Reboots do take about a minute or two longer > however; Fail2Ban rewrites the route table on service start/stop to > populate/depopulate the route table. > > We did research just after COVID that documented how iptables, ufw > etc. all have scaling issues (ipset a bit less so as I recall), but > that using "route" as the banaction had hardly any impact on > performance, even with hundreds of thousands of entries.
There is a (small) disadvantage: Depending on the configuration (blackhole), the sender will never get an answer or one that doesn't really show the reason (ICMP dst unreachable "route rejected" or "no route to dst" instead of the firewall "admin-prohibited"). -- Gruß Marco Send unsolicited bulk mail to [email protected] _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
