On Tuesday 08 February 2005 2:14 pm, Kenneth Porter wrote: > --On Tuesday, February 08, 2005 11:14 AM -0700 Brian Godette > > <[EMAIL PROTECTED]> wrote: > > care must be taken to have the expiry times > > reasonable or the iptables rule lists becomes much too large and > > eventually chews up all available CPU. > > Have you seen the "ipset" stuff on the netfilter-devel list? This is a new > set of modules that works with sets of addresses. It should allow you to > have a much larger rejection list.
The rejection list can be pretty huge as it is, however since the script doesn't aggregate IP addresses there is a possibility of it becoming excessively large (8 figures or more) if addresses stay in the list for very long periods of time (months) before being expired. That's completely theoretical since I doubt there's 10's of millions of zombie proxies/open relays out there, but still expiration times that long are IMO excessive.
