[CentOS] Switching from lokkit (iptables) to firewalld

Tue Feb 4 19:06:41 UTC 2020
Chris Adams <linux at cmadams.net>

Once upon a time, Stephen John Smoogen <smooge at gmail.com> said:
> It will because it is a linear list that every packet has to be 'judged'
> against. Even if you break it down to 2 or 3 trees it will still take a
> while.

Putting them in ipset would be much better performance (uses hash, so
not a linear search).  It also makes for a much more readable and
manageable firewall config.  I use ipsets for most everything these
days, even where there are just a few IPs/networks involved.  However...

> Any list of ip addresses is going to be outdated by a year because of how
> ranges are so dynamic these days. Most 'bad-guys' can jump around a couple
> hundred thousand or million ip addresses without much cost on their part
> and can get new ranges to screw around weekly.

Yeah, it's going to be a useless list.  If you want to protect services,
then short-term blocking like fail2ban is okay - better is to just allow
your "known good" sources and not try to block things bit by bit.

Chris Adams <linux at cmadams.net>