Re: Switching from lokkit (iptables) to firewalld

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Once upon a time, Stephen John Smoogen <smooge@xxxxxxxxx> said:
> It will because it is a linear list that every packet has to be 'judged'
> against. Even if you break it down to 2 or 3 trees it will still take a
> while.

Putting them in ipset would be much better performance (uses hash, so
not a linear search).  It also makes for a much more readable and
manageable firewall config.  I use ipsets for most everything these
days, even where there are just a few IPs/networks involved.  However...

> Any list of ip addresses is going to be outdated by a year because of how
> ranges are so dynamic these days. Most 'bad-guys' can jump around a couple
> hundred thousand or million ip addresses without much cost on their part
> and can get new ranges to screw around weekly.

Yeah, it's going to be a useless list.  If you want to protect services,
then short-term blocking like fail2ban is okay - better is to just allow
your "known good" sources and not try to block things bit by bit.

-- 
Chris Adams <linux@xxxxxxxxxxx>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux