On 8/20/2014 10:46 AM, PGNd wrote:
> Using an exclusion in conntrack appears to work,
>
> /conntrack
> NOTRACK +IPBLACKLIST_IP!+IPWHITELIST_IP -
> NOTRACK +IPBLACKLIST_NET!+IPWHITELIST_NET -
> DROP:P +IPBLACKLIST_IP!+IPWHITELIST_IP -
> DROP:P +IPBLACKLIST_NET!+IPWHITELIST_NET -
>
> No 'ACCEPT' rules in /rules are required.
>
> One downside is that if +IPBLACKLIST_{IP,NET} is very large, then it
> appears to take a moment to parse the entire list and hit the exclusion.
> Manifests in, e.g., the browser hesitating for a few seconds before
> rendering the reply.Very expensive to have every packet entering the firewall being checked twice against a large ipset. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
