On 4/11/24 5:39 AM, Mason Kaufer wrote:
Hi, I am currently trying to set up a firewall on an Ubuntu 22.04 machine that will block a list of 2 million plus ip addresses without slowing the network speed down tremendously. I have tried using ipset but I get an error that the hash size isn't large enough. I have tried manually setting the hash size but it only allows that option to be so large. Is there something I am doing wrong or is there a better way to achieve this? Any help with this would be much appreciated.
There could be another way, that would work for both inbound and outbound blocking. Consolidate the list into net ranges, and add the ranges as BLACK HOLE routes in the routing table.
I'm less and less enamored with using IP lists in a firewall when the routing table is optimized to handle BIG lists of addresses, if you do the consolidation properly.
Also, be sure to have short-circuit rules for established connections in your firewall list, if you do decide to lard up an IP table list. That will help the speed problem, by restricting the loading to new connections.
