iptables and combining additional rule sources

Jeffrey Walton noloader at gmail.com
Sat Apr 25 13:16:13 EDT 2020


On Sat, Apr 25, 2020 at 12:53 PM Valdis Klētnieks
<valdis.kletnieks at vt.edu> wrote:
>
> On Sat, 25 Apr 2020 02:55:08 -0400, Jeffrey Walton said:
>
> > One last question... Should I create my own target - say mediawiki -
> > and append my rules to it? That may simplify things:
> >
> > * Header, newstuff and trailer is fixed
> > * newstuff just jumps to mediawiki target
> > * if mediawiki does not ban, then control returns to trailer
> >
> > Then, my out-of-proc service just keeps adding to mediawiki target. I
> > don't need to write files in this case. I'll just keep adding to the
> > running config.
>
> That totally fails if your machine reboots, because there's no memory of
> what the rules were before the reboot.

Yeah, I'm OK with that. Dropping the database means the code
simplifies _a lot_. I can remove the administrivia, connection
information and all the code for inserts and deletes.

Looking at the logs, these folks are aggressive. It looks like (to me)
the wiki installation will see most spammers in the first 5 or 10
minutes of starting up. After initial startup the system reaches
stability rather quickly.

I think it is a good tradeoff.

Jeff



More information about the Kernelnewbies mailing list