Comment by bravetraveler
1 year ago
Eventually you're probably going to want an ipset, at least. Otherwise processing your chain will continuously cost more, and more, and more.
1 year ago
Eventually you're probably going to want an ipset, at least. Otherwise processing your chain will continuously cost more, and more, and more.
I just declare firewall jubilee every now and then, where I flush the iptables and let people try again. It's also because people usually only control the IPs they use temporarily, so I don't want someone innocent later on to be blocked from using the service because someone abusive used their IPs beforehand. But even if I didn't do this, it doesn't cost much for Linux to iterate over an array of blocked int32's. It's really only allocated TCP connection resources that are problematic.
I'm glad you make a point to flush the chain/let things retry. I often hear about people adding drops.. to just then forget about them
I saw millions and started to feel my heart race a little