I currently have a workflow set up here where any time I have an IP address that I want blocked/blacklisted I add it to an ipset which is referenced in the blrules file.
After adding a new entry to an ipset I run: # /etc/shorewall-lite/state/firewall run save_ipsets /etc/shorewall-lite/state/ipsets.save so that the new ipset entry will be saved so that if the shorewall-lite machine is restarted the ipset is restored. # /etc/shorewall-lite/state/firewall run save_ipsets seems pretty heavy though to be running after each ipset addition when the number of ipsets starts to grow. Currently my ipsets.save file is 1.1MB with ~41K entries and can take (sometimes many many) 10s of seconds to save. I could step back and only do saves on a periodic basis, like every 10 minutes or something, but I'd like the saving to be as up-to-date as possible rather than being as much as 10 minutes out of date. I wonder if there is any more efficient way of handling this problem. This is starting to smell like a logging/journalling problem where a log/journal of changes is continually appended to with periodic rollups so that if the machine does reboot, the latest ipsets.save is restored and then the journal is replayed to get it up to date since the last rollup (save to ipsets.save). Slim chance, but I wonder if anyone has implemented such a solution, or any other solution to this problem. Cheers, b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
