Hi all, I need to find out if there are any performance issues involved with having a black list on the firewall. As I understand before a packet is delivered it will go through all the IP''s in the blacklist, therefore eventually we might end up having quite a lot of ips in the black list. My question is how much delay will that cause (if any) to reach any of the machines I have in my DMZ or when doing port forwarding. I please do excuse me if this questions has been answered before but I have looked through the achieves and the doc of shorewall. Haven''t found anything that answers my question. Also does anyone have a list of IP''s which have a record of hacking? Thanks in advance. A. Karim
On Tue, 16 Jul 2002, Abdul Karim wrote:> Hi all, I need to find out if there are any performance issues involved with > having a black list on the firewall. As I understand before a packet is > delivered it will go through all the IP''s in the blacklist, therefore > eventually we might end up having quite a lot of ips in the black list. My > question is how much delay will that cause (if any) to reach any of the > machines I have in my DMZ or when doing port forwarding. I please do excuse > me if this questions has been answered before but I have looked through the > achieves and the doc of shorewall. Haven''t found anything that answers my > question. >Each entry in the black list is a separate rule so the delay caused is the time that it takes to evaluate a single Netfilter rule. I have not seen atomic numbers of this sort published; they obviously depend on the speed of the CPU and the nature of the rule.> Also does anyone have a list of IP''s which have a record of hacking? >I don''t. I tend to use the black list as a temporary measure when a site is causing a lot of log messages to be generated (such as systems that are Nimda-infected) or when some idiot tries to Wget the entire 77MB Shorewall FTP site (my DSL line is only 384kb). With this usage, my own black list is always quite short. I use dynamic blacklisting which is more expensive than static blacklisting using the /etc/shorewall/blacklist file. Sorry that I can''t be of more help... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> -----Original Message----- > From: Tom Eastep [mailto:teastep@shorewall.net] > Sent: Tuesday, July 16, 2002 9:24 AM > To: Abdul Karim > Cc: shorewall-users@shorewall.net > Subject: Re: [Shorewall-users] blacklist questions > > > On Tue, 16 Jul 2002, Abdul Karim wrote: > > > Hi all, I need to find out if there are any performance > > issues involved with having a black list on the firewall. > > As I understand before a packet is delivered it will go > > through all the IP''s in the blacklist, therefore eventually > > we might end up having quite a lot of ips in the black list. > > My question is how much delay will that cause (if any) to > > reach any of the machines I have in my DMZ or when doing > > port forwarding. I please do excuse me if this questions > > has been answered before but I have looked through the > > achieves and the doc of shorewall. Haven''t found anything > > that answers my question. > > > > Each entry in the black list is a separate rule so the delay > caused is the time that it takes to evaluate a single Netfilter > rule. I have not seen atomic numbers of this sort published; > they obviously depend on the speed of the CPU and the nature > of the rule.At one time (before Verizon did something about the Nimda/CodeRed infected sites on their network) I had over 400+ entries in my blacklist file. I saw no performance issues at this end. BTW: My shorewall box is a measly P100 with 48MB of RAM.> > > Also does anyone have a list of IP''s which have a record of hacking? > > > > I don''t. I tend to use the black list as a temporary measure > when a site is causing a lot of log messages to be generated > (such as systems that are Nimda-infected) or when some idiot > tries to Wget the entire 77MB Shorewall FTP site (my DSL line > is only 384kb). With this usage, my own black list is always > quite short. I use dynamic blacklisting which is more expensive > than static blacklisting using the /etc/shorewall/blacklist file. > > Sorry that I can''t be of more help... >Like Tom, I update my blacklist file as I see abuse occur in my /var/log/messages file. To me, the bigger problem is with e-mail abuse. I''m now seeing formmail probes that generate a single 20 line x 80 character logfile entry. I had to modify my cronjob entry for webalizer to stop the error messages when it hit one of these formmail probes. :-( Steve Cowles
Has anyone tried using swatch to automate shorewall dynamic blacklisting yet? Seems to me these 2 programs were made for each other, I just haven''t had a chance to try it myself yet. Jim Hubbard> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net]On Behalf Of Cowles, Steve > Sent: Tuesday, July 16, 2002 10:58 AM > To: shorewall-users@shorewall.net > Subject: RE: [Shorewall-users] blacklist questions > > > Like Tom, I update my blacklist file as I see abuse occur in my > /var/log/messages file. To me, the bigger problem is with e-mail > abuse. I''m > now seeing formmail probes that generate a single 20 line x 80 character > logfile entry. I had to modify my cronjob entry for webalizer to stop the > error messages when it hit one of these formmail probes. :-( > > Steve Cowles
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net>> I use dynamic blacklisting which is more expensive > than static blacklisting using the /etc/shorewall/blacklist file.Tom, Can you describe the methods you use to do dymanic blacklisting. I know iptables but I''m brand new the shorewall. Is dynamic blacklisting a feature of shorewall or do you look at hacker attempt yourself (or via script) by examining logs? -eric wood
On Tue, 16 Jul 2002, Eric Wood wrote:> > Can you describe the methods you use to do dymanic blacklisting. I know > iptables but I''m brand new the shorewall. Is dynamic blacklisting a feature > of shorewall or do you look at hacker attempt yourself (or via script) by > examining logs? >For a description of Shorewall Dynamic Blacklisting, enter "dynamic blacklisting" in the quick search on the Shorewall home page. The first link is the one you want. I just run the commands manually when I see my performance bogging down or see a log of log messages. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net