[Bloat] netperf server news
Kenneth Porter
shiva at sewingwitch.com
Wed Oct 7 21:39:02 EDT 2020
--On Wednesday, October 07, 2020 3:23 PM -0400 Rich Brown
<richb.hanover at gmail.com> wrote:
> I'm also aware of ipset, which I take to be an optimized alternative to
> searching a long set of iptables rules (true?) I don't believe that my
> OpenVZ VPS has kernel support for this, so as long as the
> long-list-of-rules seems to work well, I'm going to leave it alone.
A quick google of "OpenVZ ipset" turned up a thread from 3 years ago
suggesting it's in their kernel:
<https://forum.openvz.org/index.php?t=rview&goto=53549&th=13604>
Note that ipset operates in addition to iptables. Other kernel subsystems
can also use them. iptables has a module to query an ipset.
500 rules is a lot to search linearly. I'd think a hash table would give
much superior performance. Note that every "good" packet has to check ALL
the blocking rules to be approved.
I use ipsets to block probes to my mail servers from outside the country
and from cloud services. I've managed to find a few sources of lists for
those. I also use ipset with fail2ban.
The only complicated part is how to handle reboots or other service
restarts. I use firewalld which does its own ipset management so I put the
permanent lists there. (I have scripts to convert the cloud lists to a
firewalld's XML format for its ipset storage.) fail2ban keeps its own block
database in a sqlite file and tears down and recreates its ipsets on
restart.
More information about the Bloat
mailing list