On Thu, 2011-01-27 at 15:49 -0800, Tim wrote: > > Which method of blocking large numbers of IPs is the least consumptive > > of system resources? > > iptables is most likely more efficient, though it may be harder to > manage. I also am not sure how well it scales when you have thousands > of individual IP addresses. However, it is efficient for blocking > groups of IPs. > > > I have been using IPtables for several years but > > am curious as to whether it is the best way to go when blocking hundreds > > of IPs - like maybe for ALL of China and/or Korea for instance. > > You may want to rethink the approach of blocking whole countries. > For some time a friend of mine was blocking all of China and Korea to > cut down on spam. However, just recently he was workign for a client > in one of those countries and just couldn't figure out why he couldn't > receive their email. He had forgotten about the blocking. > > There's no telling if/when you'll run into similar issues, and it may > not be related to traffic you can anticipate will go to/from those > countries. (Think geographically distributed services you use every > day.) > > A better approach to cut down on noise might be to block traffic from > IPs on public blacklists like the spamhaus XBL: > http://www.spamhaus.org/xbl/ > > I'm not sure if that specific blacklist is convenient to use with > iptables, but that would be a better approach in my book. > > HTH, > tim > _______________________________________________ > PLUG mailing list > PLUG@lists.pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug
w/r/t iptables blocklists, i use peerguardian at home and on my servers, it's packaged as pgld and pglcmd for most distros. it lets you choose from a wide variety of blocklists for hosts with various types of bad behavior, and supports whitelisting or custom blacklists, so fine-tuning is a simple matter. i *believe* that pgld primarily uses lists supplied by Bluetack, but i am also pretty sure there are some others in the bunch. as usual, ymmv. regards, nathan _______________________________________________ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
