On 27/08/2019 22:27, Nick Howitt wrote:
On 27/08/2019 22:08, Kenneth Porter wrote:
--On Tuesday, August 27, 2019 10:37 AM +0100 Nick Howitt
<[email protected]> wrote:
FWIW if you are trying to block all non-US, I would expect it would
be a
lot more efficient to generate a US only list then block all on no
match
with the following in your iptables rule:
-m set ! --match-set US-list
How would you construct that list? I suspect the values in the IPDeny
US list don't cover the rest of the space and there may be desirable
addresses in the remaining space. It would be interesting to compute
a negative list of all addresses in the full list and see what's in
there.
You can construct the list by using my code with just the US as a
country (or US and CA), or you can use the other code linked to and
reverse the check so it picks up the US and not the rest. The key
thing is the negation of the match in iptables.
A slight stupidity here. If using IPdeny as a source of data, they
produce a single file for each country as well. You can just pick up the
US file.
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
