On Wed, 26 Feb 2020, Dan Ritter wrote:
If you find yourself needing to add lots more rules, you might want to
generate a "set" instead of individual rules:
http://ipset.netfilter.org/
https://www.linuxjournal.com/content/advanced-firewall-configurations-ipset
might be useful.
I find ipsets the natural way of setting up rules. I run a script which blocks
whole countries, taking the country data from
http://ipverse.net/ipblocks/data/countries/
Simple and efficient. I once had a set with 140000 (yes, 140 thousand) ipblocks
in an ipset with no apparent performance hit.
Roger
