On Tue, 16 Dec 2008, Julien Vehent wrote: > On Tue, 16 Dec 2008 16:04:36 +0100, Michael Schwartzkopff > <misch@xxxxxxxxxxx> wrote: > > Am Dienstag, 16. Dezember 2008 15:27 schrieben Sie: > >> Hi All, > >> > >> I was wondering how I could integrate the spamhaus drop list > >> (http://www.spamhaus.org/drop/drop.lasso) into my Netfilter rules. > >> > >> The list is not too long, so I thought putting it directly into a new > >> chain > >> would be doable without degrading too much the performances. Somebody > >> also > >> told me to use a chains tree, but I wonder if this is necessary > >> considering > >> the size of the list... > >> > >> Has anybody done this before ? > >> > >> Thanks, > >> Julien > > > > google von "iptables spamhaus" gives you the site: > > > http://robotterror.com/site/wiki/aggressive_spam_and_zombie_blocking_via_spamhaus_org_drop_and_iptables > > > > on the first place. > > > > Cheers, > > > > Dear Doctor, > > Thanks for your tremendous help for adding a rule in a chain...... :/ > > My question, however, concerns more the performances issue. This list will > be checked for every single TCP-SYN or UDP packet that goes through the > kernel, and if the first byte is something like 128 , it's definitely > useless to try all the 91.* > > But implementing a tree of chains in netfilter is also quite a pain in the > ass. So before choosing a solution, I would like the opinion of the > community. This sounds like a job for the "iphash" map of the ipset netfilter extension. Only one rule in your ruleset and a hash-table with the addresses to block. c'ya sven -- The lights are fading out, once more... -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
