[Shorewall-users] blacklist questions
Tue, 16 Jul 2002 07:23:55 -0700 (PDT)
On Tue, 16 Jul 2002, Abdul Karim wrote:
> Hi all, I need to find out if there are any performance issues involved with
> having a black list on the firewall. As I understand before a packet is
> delivered it will go through all the IP's in the blacklist, therefore
> eventually we might end up having quite a lot of ips in the black list. My
> question is how much delay will that cause (if any) to reach any of the
> machines I have in my DMZ or when doing port forwarding. I please do excuse
> me if this questions has been answered before but I have looked through the
> achieves and the doc of shorewall. Haven't found anything that answers my
Each entry in the black list is a separate rule so the delay caused is the
time that it takes to evaluate a single Netfilter rule. I have not seen
atomic numbers of this sort published; they obviously depend on the speed
of the CPU and the nature of the rule.
> Also does anyone have a list of IP's which have a record of hacking?
I don't. I tend to use the black list as a temporary measure when a site
is causing a lot of log messages to be generated (such as systems that are
Nimda-infected) or when some idiot tries to Wget the entire 77MB Shorewall
FTP site (my DSL line is only 384kb). With this usage, my own black list
is always quite short. I use dynamic blacklisting which is more expensive
than static blacklisting using the /etc/shorewall/blacklist file.
Sorry that I can't be of more help...
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ email@example.com