Hi,
I have a script that downloads "badhosts" from a site that continuously
updates through a distrubed network.
I currently limit my blocklist to 450,000 ip addresses.
real mem = 4261072896 (4063MB)
avail mem = 4119322624 (3928MB)
bios0: PC Engines apu2
-pa-r-- blocklist
Addresses: 450000
Cleared: Tue May 26 18:45:08 2020
References: [ Anchors: 0 Rules:
1 ]
Evaluations: [ NoMatch: 3794791 Match:
1172204 ]
In/Block: [ Packets: 1172204 Bytes:
61337613 ]
In/Match: [ Packets: 0 Bytes:
0 ]
In/Pass: [ Packets: 0 Bytes:
0 ]
In/XPass: [ Packets: 0 Bytes:
0 ]
Out/Block: [ Packets: 0 Bytes:
0 ]
Out/Match: [ Packets: 0 Bytes:
0 ]
Out/Pass: [ Packets: 0 Bytes:
0 ]
Out/XPass: [ Packets: 0 Bytes:
0 ]
Cheers,
Steve W.
On 12/08/2020 6:11 a.m., Alan McKay wrote:
Hey folks,
This is one that is difficult to test in a test environment.
I've got OpenBSD 6.5 on a relatively new pair of servers each with 8G RAM.
With some scripting I'm looking at feeding block IPs to the firewalls
to block bad-guys in near real time, but in theory if we got attacked
by a bot net or something like that, it could result in a few thousand
IPs being blocked. Possibly even 10s of thousands.
Are there any real-world data out there on how big of a block list we
can handle without impacting performance?
We're doing the standard /etc/blacklist to load a table and then have
a block on the table right at the top of the ruleset.
thanks,
-Alan
