[Shorewall-users] blacklist questions

Tom Eastep teastep@shorewall.net
Tue, 16 Jul 2002 07:23:55 -0700 (PDT)


On Tue, 16 Jul 2002, Abdul Karim wrote:

> Hi all, I need to find out if there are any performance issues involved with
> having a black list on the firewall.  As I understand before a packet is
> delivered it will go through all the IP's in the blacklist, therefore
> eventually we might end up having quite a lot of ips in the black list.  My
> question is how much delay will that cause (if any) to reach any of the
> machines I have in my DMZ or when doing port forwarding.  I please do excuse
> me if this questions has been answered before but I have looked through the
> achieves and the doc of shorewall.  Haven't found anything that answers my
> question. 
>

Each entry in the black list is a separate rule so the delay caused is the
time that it takes to evaluate a single Netfilter rule. I have not seen
atomic numbers of this sort published; they obviously depend on the speed
of the CPU and the nature of the rule.
 
> Also does anyone have a list of IP's which have a record of hacking?
> 

I don't. I tend to use the black list as a temporary measure when a site
is causing a lot of log messages to be generated (such as systems that are
Nimda-infected) or when some idiot tries to Wget the entire 77MB Shorewall
FTP site (my DSL line is only 384kb). With this usage, my own black list
is always quite short. I use dynamic blacklisting which is more expensive
than static blacklisting using the /etc/shorewall/blacklist file.

Sorry that I can't be of more help...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net