[Firewall] Big list in block-file -> crash server

B dustythepath at gmail.com
Thu Apr 25 21:57:11 CEST 2013



I strongly suggest you look into using ipset for large ip lists. Ipset will work along side the firewall. Here is a good article: 

http://m.linuxjournal.com/content/advanced-firewall-configurations-ipset


You can also read about it by googling Gentoo Arch IpSet


There is virtually no performance hit when using ipset with large block lists


Bill


On Apr 24, 2013, at 10:32 PM, Arno Nebauer <arno at nebauer.net> wrote:

> Hi Michel, 
> 
> Because I am a newbie with Arnos firewall, I can't give advice for the software. Anyway: Your list of more than 100.000 hosts / subnets is extremly large.
> 
> Try to find out the top networks by whois.arin.net, and you are able to block by /8 subnets. I did this with success to block ssh from Asia with just 41 subnets. I'am quite sure that my list is not complete, but here you are: 
> 
> 1.0.0.0/8
> 14.0.0.0/8 
> 27.0.0.0/8 
> 36.0.0.0/8 
> 42.0.0.0/8 
> 49.0.0.0/8 
> 58.0.0.0/8 
> 59.0.0.0/8 
> 60.0.0.0/8 
> 61.0.0.0/8 
> 101.0.0.0/8
> 106.0.0.0/8
> 110.0.0.0/8
> 112.0.0.0/8
> 113.0.0.0/8
> 114.0.0.0/8
> 115.0.0.0/8
> 116.0.0.0/8
> 117.0.0.0/8
> 118.0.0.0/8
> 119.0.0.0/8
> 121.0.0.0/8
> 122.0.0.0/8
> 123.0.0.0/8
> 124.0.0.0/8
> 125.0.0.0/8
> 175.0.0.0/8
> 176.0.0.0/8
> 120.0.0.0/8
> 180.0.0.0/8
> 202.0.0.0/8
> 203.0.0.0/8
> 210.0.0.0/8
> 211.0.0.0/8
> 218.0.0.0/8
> 219.0.0.0/8
> 220.0.0.0/8
> 221.0.0.0/8
> 222.0.0.0/8
> 223.0.0.0/8
> 
> 
> Am 25.04.2013 09:43, schrieb Michel van Dop:
>> Hi,
>> 
>> Since i have use 165176 host / subnets (lines) in my block list my new server CentOS 6.4 crash 2 times in 3 days.
>> 
>> Any one idee what i need to change in my network setting? 1/2 blocklist?
>> 
>> Best regards,
>> 
>> Michel
>>  
>> 
>> 
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20130425/13f2ab6a/attachment.html>


More information about the Firewall mailing list