Portsentry and too many iptables rules?
David A. Bandel
david.bandel at gmail.com
Sun Jul 13 05:42:13 PDT 2008
On Sun, Jul 13, 2008 at 12:45 AM, Shawn Tayler <stayler at xmtservices.net> wrote:
> Hi Guys,
>
> I've been running portsentry v2.0b1 for many years, since before it was closed
> up. I seem to remember someone spending some time with it, correcting a few
> bugs etc. Is there a newer versions out there? If not are there any issues
> with it, and replacements you would recommend?
>
> Also, how may is too many iptables drop rules? I currently have somewhere
> around 50,000 and growing, thanks in part to portsentry, is there a better
> way to handle large blocked and drop rules quantities?
I hope you have a match state rule so you're not running those 50k of
rules on every connection.
I would think it more effective to pull those drop rules, sort on IP
and use a whois to find foreign blocks (at least) and drop them as
blocks vice individual IPs. That is, you see you have several IPs in
the range: 217.52.231.x. You do a whois and find they belong to Nile
Online in Africa and they've been assigned 217.52.0.0 to
217.55.255.255. OK, so one rule will block all those IPs:
217.52.0.0/22. You'll also dinf a number of assignments of /19 blocks
in Korea, China, etc. This will probably take your 55k of rules down
a few k.
But with that many rules, it might just be better to policy block as
Shawn suggested. Or if you only do outgoing (not running services)
block all connection attempts and just use a state rule to handle
outgoing. Simple and effective.
Ciao,
David A. Bandel
--
Focus on the dream, not the competition.
- Nemesis Air Racing Team motto
More information about the Linux-users
mailing list