firewalld with HUGE list of ip to drop
Jerry Geis
jerry.geis at gmail.com
Sat Apr 13 21:10:55 UTC 2024
On Thu, Apr 11, 2024 at 5:24 AM <ubuntu-users-list at thomas.freit.ag> wrote:
> Hi Jerry,
>
> On 11.04.24 00:08, Jerry Geis wrote:
> > Seems once I have gotten past the "threshold" which I dont know how
> > many that is - network performance DROPS considerably with many IP's in
> the
> > list to drop
> >
> > The file to drop has at least 57000+ lines of IP addresses that have
> > attempted some kind of access to my servers. Either unwanted SSH, HTTP,
> > HTTPS or SIP.
>
> Handling large lists is costly and at some list size not feasible any
> more. A better
> scaling would be possible if you use IP sets. Switching from your lists to
> IP sets is
> not a big issue.
>
> I suggest
> https://kinvolk.io/blog/2020/09/performance-benchmark-analysis-of-egress-filtering-on-linux/
> as a good read. It covers a lot of Linux filtering possibilities very
> nicely.
>
> Another approach might be (depending on your usecase) to switch from list
> of IPs and networks to drop to
> a general drop policy and a list of IPs network to accept. However, it
> depends on how you get this kind
> of information and how you are able to manage these lists.
>
> hth,
> Thomas
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
THanks All for the suggestions - I did get ipset to work.
firewalld - took 20 minutes load all the rules and impacted - network
performance
ipset loads all the same rules in 1 min 20 seconds - network performance is
not impacted.
I did see "hints" that ipset may be going away - is there any truth to that
? I could not find anything definite ?
THanks
Jerry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20240413/f98036b5/attachment.html>
More information about the ubuntu-users
mailing list