[Firehol-support] very long blacklist

Bernhard J. M. Gruen bjmg at h0t.de
Fri Apr 16 11:37:59 BST 2004


Costa Tsaousis wrote:

>Bernhard,
>
>bellow is a reply to a similar problem.
>
>Costa
>
>
>---
>
>  
>
>[some lines of description erased by bjmg]
>
>#!/bin/sh
># USAGE: block.sh IP
>/sbin/iptables -I INPUT -s $1 -j BL_IN_UNI
>/sbin/iptables -I FORWARD -s $1 -j BL_IN_UNI
>
>#!/bin/sh
># USAGE: unblock.sh IP
>/sbin/iptables -D INPUT -s $1 -j BL_IN_UNI
>/sbin/iptables -D FORWARD -s $1 -j BL_IN_UNI
>
>  
>
Hi Costa,

This works fine and a little faster. But now I have found a even faster 
method of loading those blacklist entries. I created a file that piped 
to iptables-restore. With this method I can save the time to run 
/sbin/iptables every time again. Now I have a blacklist and I did some 
benchmarking with it. I came to the conclusion that 19% of processor 
time is too much. After some further tests I probably have a solution to 
speed this up too. The blacklist entries are at the beginning of INPUT, 
OUTPUT and FORWARD so every packet has to go through this test (about 
6000 rules in each chain). But there are also some (in reality most of 
the packets) that belong to a established connection. So there is no 
need to test for these connections. I am not sure if this feature can be 
integrated into FireHOL but I would be really nice because it saves A 
LOT of time (19% --> 4%).
By the way FireHOL could also use the iptables-restore method to start 
faster. For this FireHOL has to write every line of iptables code into a 
temporary file instead of starting iptables itself. At the end of the 
FireHOL code this temporary file should be piped to iptables-restore. :-)

Bernhard




More information about the Firehol-support mailing list