On Wed, 2003-09-03 at 13:16, Benjamin J. Weiss wrote: > > I've about had it with attacks to our web server emanating from certain > > geographical areas. This is not a display of Xenophobia. I have never > > really used IPT. > > > > It takes about 4,000 lines for Korea and China alone and that's with > > CIDR formatting. > > > > Two questions: > > > > 1. Will a table that size create a problem? Is that even a very large > > table? > > Yes, it will. You have to remember that every packet that comes into your > box has to be tested against every rule in your firewall, until if finds one > that it matches. This means that if you have 4,000 REJECT lines followed by > an ALLOW rule, then every request that is *authorized* to use your box will > have to go through 4,000 tests first. > > I expect that you will rapidly notice the CPU usage go up, and your network > "speed" and server response go down.
Not to promote an alternative OS here, but I'd strongly suggest you investigate OpenBSD with the PF firewalling code. It's much simpler to understand and configure, much more similar to ipchains or ipfilter syntactically. Performance-wise, you're going to appreciate it for your needs. From what I've heard, it handles large tables of addresses very well, using hashes to do quick lookups. > > 2. I have single lines like: > > "/sbin/iptables -A INPUT -s 61.32.0.0/16 -j REJECT" > > > > What is the most efficient means of logging matches? I suppose that I > > could create another shell script replacing REJECT with LOG or am I was > > off? > > IIRC, a LOG without a REJECT will still allow the packet through, but will > log it. You would have to have REJECT LOG at the end of the rule. Of > course, your log file will rapidly bloat to (probably) unmanageable > proportions. > > There are ways (though I can't remember what they are) to set up your system > in such a way as to dynamically block IPs from which you are receiving > attacks. I believe that they involve setting up iptables to work with snort > (http://www.snort.org), but I can't remember for sure. This is potentially a very bad idea, depending on the scenario. It's trivial to spoof an innocent bystander's address, causing dynamic blocking of those systems/networks. OpenBSD has a nice feature that has been imported to -current that works nicely against attacks like these: developers have added the ability to filter based on TCP SYN signature. It only requires the capture of the initial SYN packet, comparing it against a local list of known signatures. As you might imagine, it's very effective at blocking initial connections from Windows hosts. ;-) FWIW, I'm not trying to promote OpenBSD over Linux per se... just offering up the best tool for _this_ job. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
