Re: Switching from lokkit (iptables) to firewalld

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Tue, 4 Feb 2020 at 05:37, Pete Biggs <pete@xxxxxxxxxxxx> wrote:

> On Mon, 2020-02-03 at 19:04 -0500, Jerry Geis wrote:
> > Hi All,
> >
> > Over the last 20 some years I have a file with about 200K worth of
> address
> > that have "wrongly" tried to connect to my boxes running centos.  So the
> > file has one line per address or group of addresses like:
> > 2.244.112.0/24
> >
> > So using the OLD iptables I would run through my file build the
> > iptables.txt file and start that with DROP for the IP address. iptables
> ran
> > through the big list in no time.
> >
> > I was trying to run a script to go through each line and run:
> >  firewall-cmd --zone=drop --add-source="$ipblock" --permanent
> > but this takes a long time.
> >
> > What is a "better" way or more efficient way to keep my long list of bad
> > addresses and apply them?  Thanks,
> >
>
> To some extent you need to ask yourself if a 20 year old blacklist is
> really effective these days. Lots will have changed in that time and
> many of the addresses will have been reassigned.
>
> Also, a 200k lump of addresses will surely slow down the processing of
> incoming packets?
>
>
It will because it is a linear list that every packet has to be 'judged'
against. Even if you break it down to 2 or 3 trees it will still take a
while.

Any list of ip addresses is going to be outdated by a year because of how
ranges are so dynamic these days. Most 'bad-guys' can jump around a couple
hundred thousand or million ip addresses without much cost on their part
and can get new ranges to screw around weekly.



> Perhaps it's time to rethink what you do. Can you define what addresses
> would "rightly" try and connect to your machine and whitelist those on
> a normally closed system (rather than blacklisting those on a normally
> open system).
>
> If you need the system to be open, then I find Fail2Ban useful in
> blacklisting addresses that are being naughty.
>
> P.
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
>


-- 
Stephen J Smoogen.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]

  Powered by Linux