[wellylug] Blocking bad IPs from server
Cliff Pratt
enkidu at cliffp.com
Fri Jan 26 19:55:24 NZDT 2007
scott at slackisland.org wrote:
> Hi,
>
>> I'm curious: which kernel version are you using, and how will
>> blacklisting require a recompile? I don't use/know shorewall,
>
> The server is running:
>
> 2.6.9-42.0.3.plus.c4smp #1 SMP Fri Oct 6 11:42:04 CDT 2006 x86_64 x86_64
> x86_64 GNU/Linux
>
> but I think I'll have to roll back to a stock kernel and then compile
> again so that I can patch it with ipsets:
>
> http://ipset.netfilter.org/
>
> Without all the source headers etc, it's tough to patch the kernel.
> Anyway, with ipsets shorewall can setup a blacklist that has thousands of
> IPs without any significant performance hit. Shorewall is basically just
> a iptables management client, very easy to configure and maintain, setting
> up NATs/IPMASQ is a snap. Checkitout:
>
> http://shorewall.net
>
You can use blacklists without the ipsets. Admittedly I only block a few
addresses. Personally, I don't see the point of huge IP address lists -
they change all the time.
Cheers,
Cliff
More information about the wellylug
mailing list