From: Willy Tarreau <w@1wt.eu>
To: jmerkey@wolfmountaingroup.com
Cc: linux-kernel@vger.kernel.org
Subject: Re: [ANNOUNCE] Kernel Blocking Firewall
Date: Fri, 9 Jan 2009 10:09:56 +0100 [thread overview]
Message-ID: <20090109090956.GA28484@1wt.eu> (raw)
In-Reply-To: <40547.166.70.238.44.1231488906.squirrel@webmail.wolfmountaingroup.com>
On Fri, Jan 09, 2009 at 01:15:06AM -0700, jmerkey@wolfmountaingroup.com wrote:
> You should go and look at the code, 1) the window of addresses cached in
> memory is designed to act as an LRU windows for the addresses stored in
> the database to use less memory, so no, the in-memory only ip tables is
> primitive in comparison
I was not speaking about iptables but ipset which is an iptables extension.
>From my memories, you can have addresses stored as bitmaps, where one bit
equals one address. This would lead to less than 100 kB of RAM for your
500k addresses. But I agree that the concept of the LRU cache is interesting.
> 2) the database can just keep growing ad growing
> 3) the code I posted also loads the database if the system reboots, so
> your applications remember all those botnet addresses 4) their is the
> ability to set a timer to expire and recycle the oldest addresses (while
> still remembering all of them).
IIRC, this is also supported in ipset (I just have not looked at it for a
while now).
> From my experience with dealing with these systems, and observation of how
> RBL databases work, when an infected system gets blacklisted, it stays
> that way until the user goes to the websites and requests removal. I have
> found these zombie systems tend to stay that way, and no, by default you
> NEVER want to unblock them for at least 6 months.
This is stupid considering that most of them change their IP address every
24 hours, or at most every 7 days. This is just used to show that spam rate
drops, hiding the fact that valid mails drop for similar reasons. For your
own use, you might consider that you'll never receive mails from people
hosted at the same ISP as the bots you block, but doing this on a large
scale or for companies who do their business around e-mail is plain stupid.
I'm on a static IP, but a lot of people I know are not. It would be
unfair to block them from posting to, say, LKML just because the week
before, someone with their address had been sending spam. And no, it
does not help getting the problem solved since the only users annoyed
are not the ones with the faulty installation.
Willy
next prev parent reply other threads:[~2009-01-09 9:10 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-09 2:23 [ANNOUNCE] Kernel Blocking Firewall jmerkey
2009-01-09 6:46 ` Willy Tarreau
2009-01-09 7:36 ` jmerkey
2009-01-09 8:45 ` Willy Tarreau
2009-01-09 8:15 ` jmerkey
2009-01-09 9:09 ` Willy Tarreau [this message]
2009-01-09 8:43 ` jmerkey
2009-01-09 10:56 ` David Newall
2009-01-09 18:14 ` jmerkey
2009-01-10 0:40 ` Henrique de Moraes Holschuh
2009-01-10 6:11 ` Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090109090956.GA28484@1wt.eu \
--to=w@1wt.eu \
--cc=jmerkey@wolfmountaingroup.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox