[Firewall] Firewall Digest, Vol 85, Issue 3

cmr at uniserve.com cmr at uniserve.com
Tue Feb 5 20:58:17 CET 2013


Thanks to one and all as the  
BLOCK_HOSTS_FILE="/etc/arno-iptables-firewall/blocked-hosts" solved my  
problem.

On to new business, ipset really looks promising. From the links you  
provided, it looks like a SUPER speed up of blocking hosts is a bonus.  
now to get it working reliably.

Thanks again, and i look forward to any new plugins around ipset

Chris


Quoting firewall-request at rocky.eld.leidenuniv.nl:

> Send Firewall mailing list submissions to
> 	firewall at rocky.eld.leidenuniv.nl
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> or, via email, send a message with subject or body 'help' to
> 	firewall-request at rocky.eld.leidenuniv.nl
>
> You can reach the person managing the list at
> 	firewall-owner at rocky.eld.leidenuniv.nl
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Firewall digest..."
>
>
> Today's Topics:
>
>    1. Re: Is there a limit to BLOCK_HOSTS="" (B)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 3 Feb 2013 09:51:12 -1000
> From: B <dustythepath at gmail.com>
> To: Arno's IPTABLES firewall script <firewall at rocky.eld.leidenuniv.nl>
> Subject: Re: [Firewall] Is there a limit to BLOCK_HOSTS=""
> Message-ID: <945233E3-4B9E-4410-BEAB-F474358B24EF at gmail.com>
> Content-Type: text/plain;	charset=us-ascii
>
> That addition would be very useful. I will work on sending you some  
> comparisons next week. From what I understand ipset loads much  
> faster than a list of hosts since iptables checks the ipset rather  
> than load the whole list into iptables.
>
> Rather than just ask, I will try to give you good reason soon to be  
> interested in this.
>
> Thanks
> Bill
>
> On Feb 3, 2013, at 9:21 AM, Lonnie Abelbeck  
> <lists at lonnie.abelbeck.com> wrote:
>
>> Hi Bill,
>>
>> Your suggestion to utilize "ipset" is interesting, here is a good reference:
>>
>> http://www.linuxjournal.com/content/advanced-firewall-configurations-ipset
>>
>> Though, I'm not sure "ipset" is ubiquitous enough for AIF to  
>> require it's use.  (ipset v5.0 or later is required for IPv6 support)
>>
>> Additionally, keep in mind that BLOCK_HOSTS_FILE uses iptables-save  
>> and iptables-restore to minimize the time loading the block list.   
>> For example on a Dual Core Atom D525 @ 1.80GHz, I get:
>> --
>> # time arno-iptables-firewall force-reload
>> Arno's Iptables Firewall Script v2.0.1d
>> -------------------------------------------------------------------------------
>> Blocking (blackhole) direction: Inbound and Outbound
>> (Re)loading list of BLOCKED hosts from /mnt/kd/blocked-hosts...
>> 0%.........20%.........40%.........60%.........80%.........100%.........468  
>> host line(s) read
>>
>> Feb 03 12:42:57 All firewall rules applied.
>>
>> real    0m1.064s
>> user    0m0.496s
>> sys    0m0.386s
>> --
>> so, roughly 2 seconds per 1000 block entries, scale appropriately  
>> for your situation.
>>
>> As far as the real-time matching efficiency of either using "-m set  
>> --set myset src" or a chain "-j HOST_BLOCK_SRC" containing the -s  
>> matches, I don't know the answer.
>>
>> Possibly an AIF "block-hosts" plugin using "ipset" (if available)  
>> would be a good addition.
>>
>> Lonnie
>>
>>
>>
>> On Feb 3, 2013, at 11:49 AM, B wrote:
>>
>>> Also having an interest in this,
>>>
>>> I have tried to use ipset with Arno's firewall as using the block  
>>> hosts parameter will be much slower with large numbers of IPs. It  
>>> can get messy if things aren't loaded properly.
>>>
>>> Is there a recommended way to use Ip sets?
>>>
>>> Right now I'm using a script from the Gentoo forums to auto  
>>> generate an ipset.
>>>
>>> Reference: Search gentoo.org and ip sets and you'll find the  
>>> discussion on ip sets and country blocking.
>>>
>>> Hope this adds to the conversation
>>> Bill

snip




More information about the Firewall mailing list