On Wed, 2007-03-21 at 12:09 -0400, H.S. wrote: > Ron Johnson wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On 03/21/07 10:52, H.S. wrote: > >> H.S. wrote: > >> > >>> Now, currently, there are around 151,000 ipranges listed in level1.gz > >>> to block. So the above function's loop goes over these many times > >>> inserting the rules for each range. And this is taking huge amount of > >>> time: in over 50 minutes, only around 12% rules have been loaded on my > >>> router running Etch (Pentium III, 449MHz, 380 MB RAM). > >>> > >>> How can I speed this up? Advice? > >>> > >>> thanks, > >>> ->HS > >> > >> > >> Anyone ... ? > > > > That's a whole lotta rules. I'm not surprised that iptables doesn't > > scale that well. > > Yes. The experiment shows that this is not going well. I was wondering > if there are any alternatives. I currently have around 80,000 rules now > inserted, and the process is still continuing more than 17 hours later! > However, my internet connection seems to be holding up without any > noticeable performance cut so far.
Have you tried to use networks versus individual IPs? I blocked well over 1.8M IPs this way with IPTABLES. It is a lot of work to get setup initially it works relatively well. I want you to know, there are a serious number of Chinese, Taiwan, Korean and other networks where about 50% of spam and probes and scripted attacks come from. I just defined the "AN" numbers and used them. -- greg, [EMAIL PROTECTED] Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
