5

I'm wondering how scalable it is to add IP addresses or subranges I want to block into ufw. E.g., I do this whenever I discover a particularly bad bot or server farm. As my list grows, I wonder how much overhead I'm placing on the system; because now every packet must be checked against this list.

Does anyone have experience with a block list of a certain size that began to cause system load, or network slowdowns?

Is there anything in the docs somewhere about this?

Right now I've got about 15 rules. Is there some number of rules I should stay below?

Dogweather
  • 295
  • 1
  • 7

1 Answers1

7

It's a whole lot less load than trying to service the traffic... large chains have an impact on performance, but with a bit of judicious optimisation (splitting out traffic into different chains) you can keep it under control.

For reference, I've got a 20k rule iptables firewall that performs quite adequately under a couple of hundred Mbps of traffic... I don't think you've got much to worry about with 15 rules.

womble
  • 96,255
  • 29
  • 175
  • 230