IPSet Log and drop.
kadlec at blackhole.kfki.hu
Thu Apr 21 20:15:33 CEST 2005
On Thu, 21 Apr 2005, Rob Carlson wrote:
> I'm currently using ipset to block some large
> blocks of addresses. It seems to be working well,
> but a couple of rogue emails have gotten through.
E-mails? You are fully aware that E-mail headers are trivial to forge,
aren't you. Have you checked the sender machines in the Received lines?
> I've found that with vanilla IPTables, to log and
> block one sets up two rules, first the LOG
> statement, then immediately following, the DROP
> statement. However since I am using a nethash in
> IPSet, I wonder if this approach would work, or
> whether scanning the hash twice to invoke each
> operation would be counter to the reason for using
> the IPset nethash.
ipset set types are really fast. It's hard to say, which is faster:
> iptables -A testhash -m set --set testhash src -j LOG
> iptables -A testhash -m set --set testhash src -j DROP
iptables -N logdrop
iptables -A logdrop -j LOG
iptables -A logdrop -j DROP
iptables -A testhash -m set --set testhash src -j logdrop
In the first case there is an additional set lookup, in the second case
there are four [six]) additional "wildcard" builtin matches (src, dst,
inface, outface, [proto, frag]) and one jump.
Probably the latter one is a teeny bit faster with a few cycles: hash key
computations are just more expensive operations than simple matches.
E-mail : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
More information about the netfilter