On Wed, Aug 20, 2014, at 02:37 PM, Tom Eastep wrote:
> > NOTRACK +IPBLACKLIST_IP!+IPWHITELIST_IP -
> > NOTRACK +IPBLACKLIST_NET!+IPWHITELIST_NET -
> > DROP:P +IPBLACKLIST_IP!+IPWHITELIST_IP -
> > DROP:P +IPBLACKLIST_NET!+IPWHITELIST_NET -
> Very expensive to have every packet entering the firewall being checked
> twice against a large ipset.
Can't disagree, generally.
Are you referring, specifically, to the presence of BOTH the NOTRACK ... and
DROP:P ... stmts?
Do I need the NOTRACK prior to the DROP:P? The former I added to avoid filling
the conntrack table with junk I'm going to 'mercilessly' DROP anyway.
Or are you referring to the size of the IPSETs themselves?
The entry counts for the 4 IPSETs referenced above are, currently:
IPBLACKLIST_IP 282
IPBLACKLIST_NET 23287
IPWHITELIST_IP 7
IPWHITELIST_NET 2
I'm very open to any ideas or suggestions for a more clever, less expensive,
approach.
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
