On Fri 21/Jun/2024 18:12:13 +0200 Ralph Seichter via mailop wrote:
* Jeff Pang via mailop:
given currently I have 3000+ block IPs, every normal client requests
to submission, the ip will be checked through those 3000+ list, which
slow down the normal client's connection certainly.
I consider this is a case "measure, don't guess". I am right now logged
into at a none-too-fancy server moving terabytes of data per day, with
thousands of iptables entries -- without breaking a sweat. Some RAM and
CPU cycles are of course required, but unless you have concrete evidence
of your server struggling, you may be jumping at shadows.
That's still more of a moral judgment than a measure. Setting up the system
takes time, and when you feel satisfied of how it works under the current load,
you certainly don't want to change it.
Research[*] shows that thousands of rules are fine, but hundreds of thousands
bring it on its knees. I attach a picture.
Best
Ale
--
[*]
https://kinvolk.io/blog/2020/09/performance-benchmark-analysis-of-egress-filtering-on-linux
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
