On Tue, Feb 4, 2020 at 5:34 AM Jerry Geis <jerry.geis at gmail.com> wrote: > Hi All, > > Over the last 20 some years I have a file with about 200K worth of address > that have "wrongly" tried to connect to my boxes running centos. So the > file has one line per address or group of addresses like: > 2.244.112.0/24 > > So using the OLD iptables I would run through my file build the > iptables.txt file and start that with DROP for the IP address. iptables ran > through the big list in no time. > > I was trying to run a script to go through each line and run: > firewall-cmd --zone=drop --add-source="$ipblock" --permanent > but this takes a long time. > > What is a "better" way or more efficient way to keep my long list of bad > addresses and apply them? Thanks, > > Jerry > Hi, If you are using CentOS 7, you can use ipset. You can add all your IPs and IP ranges to an ipset and do operations on it. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-setting_and_controlling_ip_sets_using_firewalld The same should have worked for CentOS 8 except for this, https://bugzilla.redhat.com/show_bug.cgi?id=1774742 --- Lee