Hi, 1 million (ips and subnets) we are looking is actually the top 1 million spammers and open relays used. This list is automatically generated and currently stored in cdb files. Limited maximum connections and a simple accept established help, but we need more. Currently looking into modify the set patch to handle this large number. If not iptables then openbsd pf. We do get up to 100 smtp connections from a simple ip during peak times. > If you allow a simple IP to make a 100 smtp connections to your mail server > then you have other problems. Why you would allow any IP to make more then 10-15 > connections is beyond me. Also .. if you set a error limit (example mine is 5) > when that limit is reached the smtp and tcp connection are dropped. > I am not saying that you should not block abusive IP's or network's at the > > Also what about ESTABLISHED connections ??? If you do not use a ESTABLISHED > state -j ACCEPT at the top ... then each IP would then in theory have to match 1 > million rules every time it came in. > > I am sure there is a better answer then to create 1 million iptable rules. > > Michael. > > > On Mon, 28 Jun 2004 21:20:16 +0800 > Feizhou <feizhou@xxxxxxxxxxxxx> wrote: > > > Michael Gale wrote: > > > Hello, > > > > > > Why don't you block networks ?? > > > > > > Firewall - SYN Cookie enabling ? > > > > What good is syn cookies against traffic that conform to tcp rules but > > are just too abusive? > > > > > > Mail servers - use RBL list - this list will contain networks of IP's that > > > belong to home users. So they do not need to connect directly to your mail > > > server. > > > > RBL does nothing against spammers who open 100 connections to each of > > your MXs and who run malware that do not understand,respect smtp 5xx. > > Dropping the connection means they keep coming at you. For these, there > > is nothing but a firewall that will keep them off your MXs. > > > > > > Web servers -- rate limiting ? block networks ? Better web server ? > > > > > > If you blocked networks ? The estimated max number of rules a packet might > > > have to match would be 254 ... plus the rest of your filtering for ports and > > > other needs. This could slow down network access because of all the rules to > > > check for each packet. > > > > > > If you are not using network addresses the list would become to long. > > > > I am sure CIDRs were part of the OP's mind since iptables takes both > > individial ips and CIDRs. He probably does have a mixture of over a > > million ips/cidrs he wants to block. > > > > > > > > > > > -- > Michael Gale > Network Administrator > Utilitran Corporation >
