[Freeswitch-users] blocking IP addresses and fail2ban setup
Ivan
ivan at c3i.bg
Tue Aug 13 10:37:20 MSD 2013
> Huge lists blocked as dynamic will reduce performance of your firewall.
FWIW, one of my firewalls (a rather low-end machine by today's
standards) sees a hundred of Go of daily traffic, most of it hitting a
standard iptables chain with 4000+ blacklist rules before being
accepted, and the load average / CPU usage are close to 0. The rules are
a mix of source ips/nets, protocol and packet size checks, etc.
In comparison, Brian's blacklist is only 142 lines so ipset is not
really needed for performance (but of course, if it's packaged for your
distro why not use it - in my case it was not and I was lazy
compiling/maintaining it).
BTW a way to flush/repopulate a chain *very* quickly is to create a file
in the iptables-restore format and restore it:
LIST=/path/to/blacklist
RULES=/path/to/some/rules
echo "*filter" > $RULES
echo ":blacklist - [0:0]" >> $RULES
for i in $(cat "$LIST"); do
echo "-A blacklist -s $i -j DROP" >> $RULES
done
echo "COMMIT" >> $RULES
/sbin/iptables-restore --noflush $RULES
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list