|
||||||||
Peter wrote: >Way too much traffic for that. I did try http://phprbl.init1.nl/ but lookups are to slow. All those types of options require the server to do more work and dns lookups. My current system is very efficient but it would be better to deny the request at the firewall level. > > The only thing that I can recommend for m0n0wall is to have someone write a patch to bulk add the rules that you want. As long as we're using ipf, it seems like a bad option to let people bulk load ips for a particular rule, since it requires a separate rule for each one, and people are likely to wind up shooting themselves in the foot. If m0n0wall used pf, which, unfortunately, it doesn't, it would be a simple matter of making a table of all of the IPs and writing a block rule for it. That approach would be fast and efficient. If your server is BSD (which I would surmise that it's not) you could run a local pf firewall for that express purpose. There's one other option that I can think of, and that's using a program like curl to post each rule to the firewall_rules_edit.php. It's probably the simplest way. It still has the performance implications mentioned before. |