On Wed, 3 Nov 2021, post...@ptld.com wrote:
Just a FYI programs that change the firewall like fail2ban and sshguard
can put a high burdern on the server in the event your firewall blocks
a large amount of IP space AND you are on a very limited CPU.
Touching the firewall can lock out the server for seconds as the firewalld
I assume
creates some efficient table of IP space to block. Once the firewall is
established it isn't much of a CPU load but changing the inputs to it
does burden the CPU.
Have you checked out ipset? It is fast and light weight, allowing you to
add/remove IP's to block without touching the firewall (no restart/reload) or
having to change rules. Ipset is integrated into the kernel, you just add a
one time rule to your firewall to block anything contained by ipset. One of
ipset's features is auto expire time limits, you can tell it to ban an IP
between 1 second to 3 weeks, or no timer and ban until the IP is manually
removed.
With nftables (which unfortunately does not combine with ipset, which was a
great tool indeed), blocking an ip/range is effectively an immediate action.
My fail2ban block script does "nft add element inet filter fail2ban { <IP> }",
where fail2ban is a "set" (in the terminology of nftables).
Cheers,
Bernardo
