> Which method of blocking large numbers of IPs is the least consumptive > of system resources?
iptables is most likely more efficient, though it may be harder to manage. I also am not sure how well it scales when you have thousands of individual IP addresses. However, it is efficient for blocking groups of IPs. > I have been using IPtables for several years but > am curious as to whether it is the best way to go when blocking hundreds > of IPs - like maybe for ALL of China and/or Korea for instance. You may want to rethink the approach of blocking whole countries. For some time a friend of mine was blocking all of China and Korea to cut down on spam. However, just recently he was workign for a client in one of those countries and just couldn't figure out why he couldn't receive their email. He had forgotten about the blocking. There's no telling if/when you'll run into similar issues, and it may not be related to traffic you can anticipate will go to/from those countries. (Think geographically distributed services you use every day.) A better approach to cut down on noise might be to block traffic from IPs on public blacklists like the spamhaus XBL: http://www.spamhaus.org/xbl/ I'm not sure if that specific blacklist is convenient to use with iptables, but that would be a better approach in my book. HTH, tim _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
