From: Willy Tarreau <w@1wt.eu>
To: jmerkey@wolfmountaingroup.com
Cc: linux-kernel@vger.kernel.org
Subject: Re: [ANNOUNCE] Kernel Blocking Firewall
Date: Fri, 9 Jan 2009 09:45:40 +0100 [thread overview]
Message-ID: <20090109084540.GH5038@1wt.eu> (raw)
In-Reply-To: <37611.166.70.238.44.1231486566.squirrel@webmail.wolfmountaingroup.com>
On Fri, Jan 09, 2009 at 12:36:06AM -0700, jmerkey@wolfmountaingroup.com wrote:
> > On Thu, Jan 08, 2009 at 07:23:43PM -0700, jmerkey@wolfmountaingroup.com
> > wrote:
> >> iptables is just too cumbersome and memory comsumptive to work well and
> >> has a shitty app inteface so I wrote one with a kernel level database
> >> and
> >> combined it with postfix. This firewall actually drops packets on the
> >> floor by port, or in their entirety by IP address to deal with these
> >> jerks.
> >>
> >> The code is a kernel module that will build an RBL database to disk and
> >> it
> >> will cache up to 500,000 IP addresses efficiently on a 1GB home personal
> >> computer. The more memory you have, the more IP addresses you can
> >> cache.
> >> It is configurable and possible to hold millions of them if you have 4GB
> >> of memory in the server.
> >
> > why didn't you use ipset for that ? It's designed exactly for this usage
> > and is a lot easier to use than plain iptables for dynamic filtering.
> >
> > Willy
>
>
> No database to store the 500,000+ addresses you will harvest in about 2
> months, that's why. The one I did uses an lru cached database that runs
> in the kernel, and not userspace, so you can filer real time, and manage
> the database real time.
ipset runs in kernel too, you just add/remove entries from userspace
without having to touch all other ones. It has no problem storing one
million addresses and doing fast lookups on them.
I'm not dismissing your work, I just think it's a duplicate effort.
Also, since you're speaking about botnets, you should support automatic
expiration of those addresses, because almost all those addresses are
dynamic and will match a bot for a small amount of time, then match a
normal non-infected user. One of the reasons you found 500k addresses
might very well be because each bot appears one hundred times at different
addresses.
Willy
next prev parent reply other threads:[~2009-01-09 8:45 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-09 2:23 [ANNOUNCE] Kernel Blocking Firewall jmerkey
2009-01-09 6:46 ` Willy Tarreau
2009-01-09 7:36 ` jmerkey
2009-01-09 8:45 ` Willy Tarreau [this message]
2009-01-09 8:15 ` jmerkey
2009-01-09 9:09 ` Willy Tarreau
2009-01-09 8:43 ` jmerkey
2009-01-09 10:56 ` David Newall
2009-01-09 18:14 ` jmerkey
2009-01-10 0:40 ` Henrique de Moraes Holschuh
2009-01-10 6:11 ` Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090109084540.GH5038@1wt.eu \
--to=w@1wt.eu \
--cc=jmerkey@wolfmountaingroup.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox