Hello I am bored from a form spammer which use a proxy to send messages . I wish to enter a list of about 3000 ips with proxy servers . Will I have a server performance degradation ? Talking about server performance is it better to insert this long list of ip addresses on the dynamic blacklist or on the static blacklist ? If it''s better the dynamic , which is the best/fast way to insert about 3000 ips on the dynamic list ? Thank you! Graziano ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Graziano wrote:> Hello > > I am bored from a form spammer which use a proxy to send messages . > I wish to enter a list of about 3000 ips with proxy servers . Will I > have a server performance degradation ? > Talking about server performance is it better to insert this long list > of ip addresses on the dynamic blacklist > or on the static blacklist ? If it''s better the dynamic , which is the > best/fast way to insert about 3000 ips > on the dynamic list ?I personally recommend against using large blacklists unless you have ipset support. With BLACKLISTNEWONLY=Yes but no ipset support, each accepted connection from the net will have to pass through 3000+ rules. I would definitely use static blacklisting rather than dynamic rules. Static blacklisting is specified by incoming interface (using the ''blacklist'' option) while dynamic blacklisting is applied to *all* connection requests to/through the firewall. Without ipset support, I recommend using DELAYBLACKLISTLOAD=Yes in shorewall.conf to cut down on the time that all new connections are blocked during ''shorewall [re]start''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
eh..i think nope. as far as i remember, i had about 2000 static ips and it doesnt hurt the server performance that much. at least it is not obvious though. after the shorewall start command, there is no more shorewall codes or processes left running. so, it shouldnt be an issue. On 9/8/06, Graziano <dreamservice@libero.it> wrote:> Hello > > I am bored from a form spammer which use a proxy to send messages . > I wish to enter a list of about 3000 ips with proxy servers . Will I > have a server performance degradation ? > Talking about server performance is it better to insert this long list > of ip addresses on the dynamic blacklist > or on the static blacklist ? If it''s better the dynamic , which is the > best/fast way to insert about 3000 ips > on the dynamic list ? > > > Thank you! > Graziano > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Thank you . if I install ipset from http://ipset.netfilter.orgĀ shorewall will recognize it automatically ? Or have I to configure something ? Thank you Graziano Graziano wrote: Hello I am bored from a form spammer which use a proxy to send messages . I wish to enter a list of about 3000 ips with proxy servers . Will I have a server performance degradation ? Talking about server performance is it better to insert this long list of ip addresses on the dynamic blacklist or on the static blacklist ? If it''s better the dynamic , which is the best/fast way to insert about 3000 ips on the dynamic list ? I personally recommend against using large blacklists unless you have ipset support. With BLACKLISTNEWONLY=Yes but no ipset support, each accepted connection from the net will have to pass through 3000+ rules. I would definitely use static blacklisting rather than dynamic rules. Static blacklisting is specified by incoming interface (using the ''blacklist'' option) while dynamic blacklisting is applied to *all* connection requests to/through the firewall. Without ipset support, I recommend using DELAYBLACKLISTLOAD=Yes in shorewall.conf to cut down on the time that all new connections are blocked during ''shorewall [re]start''. -Tom ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Graziano wrote:> Thank you . > > if I install ipset from http://ipset.netfilter.org shorewall will > recognize it automatically ? > Or have I to configure something ?Shorewall will recognize it automatically if you have the ipset utility and ipset match in your kernel. See http://www.shorewall.net/ipsets.html for information about how to use ipsets in Shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Unluckily I am not a kernel expert I don''t want mess the server ..., I will stay without ipset .Thank you. Graziano wrote: Thank you . if I install ipset from http://ipset.netfilter.org shorewall will recognize it automatically ? Or have I to configure something ? Shorewall will recognize it automatically if you have the ipset utility and ipset match in your kernel. See http://www.shorewall.net/ipsets.html for information about how to use ipsets in Shorewall. -Tom ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642