Hi there, On Tue, 25 Nov 2008, Nigel Heron wrote: > We're being attacked by a botnet ... started dropping them in > iptables, once we got to ~1700 banned ips the server stopped nat'ing > completely (not sure why..) It probably just ran out of steam. The performance of iptables with thousands of rules can be poor if you don't structure them carefully. > Is ipset stable enough to be deployed on live environments? I've been using it for years with absolutely zero problems. > iphash seems like the best set type for us, how many > ips can the set handle before there's a noticeable slowdown? I currently have about 50,000 ipset (iphash) rules on modest hardware, with no noticeable performance impact. There's a good report here: http://people.netfilter.org/kadlec/nftest.pdf One of the authors also wrote ipset. He's on this list. > obviously, we don't expect ipset to help us with the syn flood, at > ~30Mb/s of syn traffic, syn cookies aren't helping either, is there > a syn-proxy implementation for linux? Sorry, never looked at it, but a quick Google for /"syn proxy" linux/ gave me over 1,000 hits. -- 73, Ged. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
