On Tue, 2012-12-04 at 11:35 -0500, David Hulsebus wrote: > We've had someone sending network attacks on us over the last few days. > We are blocking 15K + IP addresses each 24 hours and and have an address > list that has grown to more than 45K since Sunday morning. I do see my > CPU usage hasn't really grown beyond 10% - it usually runs 6-8%. Which > brings me to the question. At that scale are address list look-ups more > efficient than multiple rules? Or is there a difference ? I am looking > at increasing the blocked time from 3 days to 14.
Address lists are much more efficient than multiple rules. For example: /ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=nossh action=drop The above is MUCH more efficient with an address list of 100 IPs than it would be to have 100 rules of dropping dst-port tcp/22. I am assuming this is the question you are asking. NOTE that this is just an example and NOT the best way to handle input rules to manage traffic on port 22 or any other management port. -- ******************************************************************** * Butch Evans * Professional Network Consultation * * http://www.butchevans.com/ * Network Engineering * * http://store.wispgear.net/ * Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * * NOTE THE NEW PHONE NUMBER: 702-537-0979 * ******************************************************************** _______________________________________________ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS