lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20090109084540.GH5038@1wt.eu>
Date:	Fri, 9 Jan 2009 09:45:40 +0100
From:	Willy Tarreau <w@....eu>
To:	jmerkey@...fmountaingroup.com
Cc:	linux-kernel@...r.kernel.org
Subject: Re: [ANNOUNCE] Kernel Blocking Firewall

On Fri, Jan 09, 2009 at 12:36:06AM -0700, jmerkey@...fmountaingroup.com wrote:
> > On Thu, Jan 08, 2009 at 07:23:43PM -0700, jmerkey@...fmountaingroup.com
> > wrote:
> >> iptables is just too cumbersome and memory comsumptive to work well and
> >> has a shitty app inteface so I wrote one with a kernel level database
> >> and
> >> combined it with postfix.    This firewall actually drops packets on the
> >> floor by port, or in their entirety by IP address to deal with these
> >> jerks.
> >>
> >> The code is a kernel module that will build an RBL database to disk and
> >> it
> >> will cache up to 500,000 IP addresses efficiently on a 1GB home personal
> >> computer.  The more memory you have, the more IP addresses you can
> >> cache.
> >> It is configurable and possible to hold millions of them if you have 4GB
> >> of memory in the server.
> >
> > why didn't you use ipset for that ? It's designed exactly for this usage
> > and is a lot easier to use than plain iptables for dynamic filtering.
> >
> > Willy
> 
> 
> No database to store the 500,000+ addresses you will harvest in about 2
> months, that's why.  The one I did uses an lru cached database that runs
> in the kernel, and not userspace, so you can filer real time, and manage
> the database real time.

ipset runs in kernel too, you just add/remove entries from userspace
without having to touch all other ones. It has no problem storing one
million addresses and doing fast lookups on them.

I'm not dismissing your work, I just think it's a duplicate effort.

Also, since you're speaking about botnets, you should support automatic
expiration of those addresses, because almost all those addresses are
dynamic and will match a bot for a small amount of time, then match a
normal non-infected user. One of the reasons you found 500k addresses
might very well be because each bot appears one hundred times at different
addresses.

Willy

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ