On Wed, Aug 12, 2020 at 08:11:14AM -0400, Alan McKay wrote:
> Hey folks,
>
> This is one that is difficult to test in a test environment.
>
> I've got OpenBSD 6.5 on a relatively new pair of servers each with 8G RAM.
>
> With some scripting I'm looking at feeding block IPs to the firewalls
> to block bad-guys in near real time, but in theory if we got attacked
> by a bot net or something like that, it could result in a few thousand
> IPs being blocked. Possibly even 10s of thousands.
>
> Are there any real-world data out there on how big of a block list we
> can handle without impacting performance?
>
> We're doing the standard /etc/blacklist to load a table and then have
> a block on the table right at the top of the ruleset.
>
> thanks,
> -Alan
>
> --
> "You should sit in nature for 20 minutes a day.
> Unless you are busy, then you should sit for an hour"
> - Zen Proverb
>
Typical answer: "it depends". Having in the order of 10k of rules
might not be a smart idea. But if you are using tables you should do
fine for many, many IPs.
-Otto
