[Firewall] Is there a limit to BLOCK_HOSTS=""

B dustythepath at gmail.com
Sun Feb 3 20:51:12 CET 2013


That addition would be very useful. I will work on sending you some comparisons next week. From what I understand ipset loads much faster than a list of hosts since iptables checks the ipset rather than load the whole list into iptables.

Rather than just ask, I will try to give you good reason soon to be interested in this.

Thanks
Bill

On Feb 3, 2013, at 9:21 AM, Lonnie Abelbeck <lists at lonnie.abelbeck.com> wrote:

> Hi Bill,
> 
> Your suggestion to utilize "ipset" is interesting, here is a good reference:
> 
> http://www.linuxjournal.com/content/advanced-firewall-configurations-ipset
> 
> Though, I'm not sure "ipset" is ubiquitous enough for AIF to require it's use.  (ipset v5.0 or later is required for IPv6 support)
> 
> Additionally, keep in mind that BLOCK_HOSTS_FILE uses iptables-save and iptables-restore to minimize the time loading the block list.  For example on a Dual Core Atom D525 @ 1.80GHz, I get:
> --
> # time arno-iptables-firewall force-reload
> Arno's Iptables Firewall Script v2.0.1d
> -------------------------------------------------------------------------------
> Blocking (blackhole) direction: Inbound and Outbound
> (Re)loading list of BLOCKED hosts from /mnt/kd/blocked-hosts...
> 0%.........20%.........40%.........60%.........80%.........100%.........468 host line(s) read
> 
> Feb 03 12:42:57 All firewall rules applied.
> 
> real    0m1.064s
> user    0m0.496s
> sys    0m0.386s
> --
> so, roughly 2 seconds per 1000 block entries, scale appropriately for your situation.
> 
> As far as the real-time matching efficiency of either using "-m set --set myset src" or a chain "-j HOST_BLOCK_SRC" containing the -s matches, I don't know the answer.
> 
> Possibly an AIF "block-hosts" plugin using "ipset" (if available) would be a good addition.
> 
> Lonnie
> 
> 
> 
> On Feb 3, 2013, at 11:49 AM, B wrote:
> 
>> Also having an interest in this,
>> 
>> I have tried to use ipset with Arno's firewall as using the block hosts parameter will be much slower with large numbers of IPs. It can get messy if things aren't loaded properly.
>> 
>> Is there a recommended way to use Ip sets?
>> 
>> Right now I'm using a script from the Gentoo forums to auto generate an ipset. 
>> 
>> Reference: Search gentoo.org and ip sets and you'll find the discussion on ip sets and country blocking.
>> 
>> Hope this adds to the conversation 
>> Bill
>> 
>> On Feb 2, 2013, at 9:32 PM, cmr at uniserve.com wrote:
>> 
>>> I find myself wanting to block access from whole country ip ranges. Is there a limit to what I can include in the BLOCK_HOSTS="" setting? If there is, can I have multiple BLOCK_HOSTS="" statements in the firewall.conf file?
>>> 
>>> I'm using version 2.0.1c.
>>> 
>>> Chris
>>> 
>>> 
>>> as an example for blocking China:
>>> BLOCK_HOSTS="1.12.0.0/14 1.24.0.0/13 1.32.0.0/16 1.45.0.0/16 1.48.0.0/14 1.56.0.0/13 1.68.0.0/14 1.80.0.0/12 1.116.0.0/14 1.180.0.0/14 1.184.0.0/15 1.188.0.0/13 1.196.0.0/14 1.202.0.0/14 1.206.0.0/15 14.16.0.0/12
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl


More information about the Firewall mailing list