Am 2007-03-20 19:07:01, schrieb H.S.:
function FuncBlockedIPsRules {
echo Making rules for Blocked IPs traffic;
while read Line; do
#get the ip address range from the file
IpRange=`echo -n $Line | sed -e 's/.*:\(.*\)-\(.*\)/-/'`;
#drop the traffic from this port range
On Tue, Mar 20, 2007 at 07:07:01PM -0400, H.S. wrote:
I am playing round with the blocklist file obtained from peerguardian
(level1.gz). I have written a bash function which I call in my iptables
script to load these rules.
Have you tried inserting them as null routes into your routing table
On Fri, 23 Mar 2007, Andy Smith wrote:
Have you tried inserting them as null routes into your routing table
instead?
That won't be nice to the box, either.
Even with ipset I would not consider putting this many rules into
iptables.
It can be collapsed to one rule (or a small number of them)
H.S. wrote:
Now, currently, there are around 151,000 ipranges listed in level1.gz to
block. So the above function's loop goes over these many times inserting
the rules for each range. And this is taking huge amount of time: in
over 50 minutes, only around 12% rules have been loaded on my
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/21/07 10:52, H.S. wrote:
H.S. wrote:
Now, currently, there are around 151,000 ipranges listed in level1.gz
to block. So the above function's loop goes over these many times
inserting the rules for each range. And this is taking huge
Ron Johnson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/21/07 10:52, H.S. wrote:
H.S. wrote:
Now, currently, there are around 151,000 ipranges listed in level1.gz
to block. So the above function's loop goes over these many times
inserting the rules for each range. And this is
H.S. wrote:
...
Yes. The experiment shows that this is not going well. I was wondering
if there are any alternatives. I currently have around 80,000 rules now
inserted, and the process is still continuing more than 17 hours later!
However, my internet connection seems to be holding up without
On Wed, Mar 21, 2007 at 12:09:03PM -0400, H.S. wrote:
Ron Johnson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/21/07 10:52, H.S. wrote:
H.S. wrote:
Now, currently, there are around 151,000 ipranges listed in level1.gz
to block. So the above function's loop goes over these
On Wed, 2007-03-21 at 12:09 -0400, H.S. wrote:
Ron Johnson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/21/07 10:52, H.S. wrote:
H.S. wrote:
Now, currently, there are around 151,000 ipranges listed in level1.gz
to block. So the above function's loop goes over these
Andrew Sackville-West wrote:
nice to know that the connection is holding up, but there's got to be
a better way to do this. I'm not really up on iptables, but surely
there is some better way to distinguish the traffic to allow or not?
Maybe even just some judicious grepping of the rule set for
On Wed, Mar 21, 2007 at 01:36:17PM -0400, H.S. wrote:
Andrew Sackville-West wrote:
nice to know that the connection is holding up, but there's got to be
a better way to do this. I'm not really up on iptables, but surely
there is some better way to distinguish the traffic to allow or not?
Andrew Sackville-West wrote:
I'm sorry, but what exactly is the purpose here? I did a little poking
around and it looks like just a massive list of ip's to block, but for
what purpose?
I'm not trying to say that this is not the right solution for whatever
your problem is, but it
On Wed, Mar 21, 2007 at 02:30:06PM -0400, H.S. wrote:
Andrew Sackville-West wrote:
I'm sorry, but what exactly is the purpose here? I did a little poking
around and it looks like just a massive list of ip's to block, but for
what purpose?
I'm not trying to say that this is not
Andrew Sackville-West wrote:
On Wed, Mar 21, 2007 at 02:30:06PM -0400, H.S. wrote:
okay, I follow... and you want otherwise unfettered p2p operating, but
security from these particular sites. ugh. nasty problem.
Nasty problem, yes. But I can live without it since I don't do much p2p.
But
On Wed, Mar 21, 2007 at 04:39:57PM -0400, H.S. wrote:
I am not going to follow up on my current method. A better one is
definitely needed.
Googling on the shorewall home page yielded the following:
http://www.shorewall.net/ipsets.html
...
...Ipsets provide an effecient way to
On Tue, 20 Mar 2007, H.S. wrote:
Now, currently, there are around 151,000 ipranges listed in level1.gz to
block. So the above function's loop goes over these many times inserting
See ipset and nf-hipac at http://www.netfilter.org for support for
heavy-duty, huge rulesets.
--
One disk to
Hello,
I am playing round with the blocklist file obtained from peerguardian
(level1.gz). I have written a bash function which I call in my iptables
script to load these rules.
The following function actually loads the rules from a gzipped file
(e.g. /etc/firewall/level1.gz, defined by the
17 matches
Mail list logo