Once upon a time, Stephen John Smoogen <smooge at gmail.com> said: > It will because it is a linear list that every packet has to be 'judged' > against. Even if you break it down to 2 or 3 trees it will still take a > while. Putting them in ipset would be much better performance (uses hash, so not a linear search). It also makes for a much more readable and manageable firewall config. I use ipsets for most everything these days, even where there are just a few IPs/networks involved. However... > Any list of ip addresses is going to be outdated by a year because of how > ranges are so dynamic these days. Most 'bad-guys' can jump around a couple > hundred thousand or million ip addresses without much cost on their part > and can get new ranges to screw around weekly. Yeah, it's going to be a useless list. If you want to protect services, then short-term blocking like fail2ban is okay - better is to just allow your "known good" sources and not try to block things bit by bit. -- Chris Adams <linux at cmadams.net>