On Fri, 2024-06-21 at 01:01 +0000, Ferris, Rhys (SCC) via mailop wrote: > > > > I guess my mentality is a large IPTables is still less of a load > than letting them establish a connection and attempt to > authenticate, but I'm certainly open to better ideas.
Somewhat OT, but if you can switch to nftables, loading a very large set (100K+ entries) takes like a second and it's O(1) to test against. You can also use ipset with iptables to similar effect, although loading the set takes quite a while at first. You can modify things like fail2ban or ossec to update the sets instead of creating new rules, too.
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop