Once upon a time, Stephen John Smoogen <smooge@xxxxxxxxx> said:
> It will because it is a linear list that every packet has to be 'judged'
> against. Even if you break it down to 2 or 3 trees it will still take a
> while.
Putting them in ipset would be much better performance (uses hash, so
not a linear search). It also makes for a much more readable and
manageable firewall config. I use ipsets for most everything these
days, even where there are just a few IPs/networks involved. However...
> Any list of ip addresses is going to be outdated by a year because of how
> ranges are so dynamic these days. Most 'bad-guys' can jump around a couple
> hundred thousand or million ip addresses without much cost on their part
> and can get new ranges to screw around weekly.
Yeah, it's going to be a useless list. If you want to protect services,
then short-term blocking like fail2ban is okay - better is to just allow
your "known good" sources and not try to block things bit by bit.
--
Chris Adams <linux@xxxxxxxxxxx>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
