> > On 1/22/2015 12:45 PM, Orlandinei Vujanski wrote: > > How could I make the networks stay in a separate file by country?
> On Thu, Jan 22, 2015, at 09:54 AM, Bill Shirley wrote: > Have you looked at GeoIP matching: > http://shorewall.net/ISO-3661.html iptables geomatch, though convenient, can get resource-expensive. more efficient alternative is to use ipset. if you know the networks already, or can easily download them, create & load the data in ipsets; whether a single ipset, or multiple per-country, is completely up to you. then in shorewall/conntrack DROP the ipsets in prerouting. e.g, I do /conntrack ?FORMAT 3 ## IDS # IPSETS DROP:P EXT_IF:+GEO_BLOCK_IP - DROP:P EXT_IF:+GEO_BLOCK_NET - ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
