|
|
|
|
|
|
by fragmede
899 days ago
|
|
|
Does it meaningfully hurt performance though? Like, if I'm serving Google.com, adding microseconds to reply to a packet really add up to be a problem, but for a raspberry pi sitting at my house, what's the performance impact of having a million iptable rules? |
|
|
For example, shorewall/shorewall6 has rule set optimization for blrules (be warned single threaded Perl can take awhile for 300k IPs, and quick-boot rule-caching should be off during initial configuration).
I also use a crude ban-list generator script for certain persistently annoying country codes poking around, that currently imports a lot of iblocklist, spamhaus, known compromised IP posts on dodgy forums, and malformed whois records.
Yes it is rude to black-hole entire countries, but these same areas often tend to ruin the games with lagged connections and lame vulnerability/exfiltration scans.
https://www.youtube.com/watch?v=eGOtZDk6wRc