[Firewall] Is there a limit to BLOCK_HOSTS=""

Lonnie Abelbeck lists at lonnie.abelbeck.com
Sun Feb 3 20:21:01 CET 2013


Hi Bill,

Your suggestion to utilize "ipset" is interesting, here is a good reference:

http://www.linuxjournal.com/content/advanced-firewall-configurations-ipset

Though, I'm not sure "ipset" is ubiquitous enough for AIF to require it's use.  (ipset v5.0 or later is required for IPv6 support)

Additionally, keep in mind that BLOCK_HOSTS_FILE uses iptables-save and iptables-restore to minimize the time loading the block list.  For example on a Dual Core Atom D525 @ 1.80GHz, I get:
--
# time arno-iptables-firewall force-reload
Arno's Iptables Firewall Script v2.0.1d
-------------------------------------------------------------------------------
Blocking (blackhole) direction: Inbound and Outbound
(Re)loading list of BLOCKED hosts from /mnt/kd/blocked-hosts...
 0%.........20%.........40%.........60%.........80%.........100%.........468 host line(s) read

Feb 03 12:42:57 All firewall rules applied.

real	0m1.064s
user	0m0.496s
sys	0m0.386s
--
so, roughly 2 seconds per 1000 block entries, scale appropriately for your situation.

As far as the real-time matching efficiency of either using "-m set --set myset src" or a chain "-j HOST_BLOCK_SRC" containing the -s matches, I don't know the answer.

Possibly an AIF "block-hosts" plugin using "ipset" (if available) would be a good addition.

Lonnie



On Feb 3, 2013, at 11:49 AM, B wrote:

> Also having an interest in this,
> 
> I have tried to use ipset with Arno's firewall as using the block hosts parameter will be much slower with large numbers of IPs. It can get messy if things aren't loaded properly.
> 
> Is there a recommended way to use Ip sets?
> 
> Right now I'm using a script from the Gentoo forums to auto generate an ipset. 
> 
> Reference: Search gentoo.org and ip sets and you'll find the discussion on ip sets and country blocking.
> 
> Hope this adds to the conversation 
> Bill
> 
> On Feb 2, 2013, at 9:32 PM, cmr at uniserve.com wrote:
> 
>> I find myself wanting to block access from whole country ip ranges. Is there a limit to what I can include in the BLOCK_HOSTS="" setting? If there is, can I have multiple BLOCK_HOSTS="" statements in the firewall.conf file?
>> 
>> I'm using version 2.0.1c.
>> 
>> Chris
>> 
>> 
>> as an example for blocking China:
>> BLOCK_HOSTS="1.12.0.0/14 1.24.0.0/13 1.32.0.0/16 1.45.0.0/16 1.48.0.0/14 1.56.0.0/13 1.68.0.0/14 1.80.0.0/12 1.116.0.0/14 1.180.0.0/14 1.184.0.0/15 1.188.0.0/13 1.196.0.0/14 1.202.0.0/14 1.206.0.0/15 14.16.0.0/12 


More information about the Firewall mailing list