[asterisk-users] Using Firewall to protect Asterisk
Alex Balashov
abalashov at evaristesys.com
Fri Jul 15 11:52:43 CDT 2011
On 07/15/2011 12:47 PM, CDR wrote:
> I need to keep out all connection from 5 countries, which originate
> most of the Denial of Service attacks. The entries are around 9000 if
> used as xx.xx.0.0/16. I heard that there is a smarter way to do this
> by using User Tables in iptables, that will keep the speed equal to
> LOG(x). I already tried using a straight list and it kills the box.
> Unless a smarter way us found, there is no way to use iptables.
iptables is just a user-space configuration interface to the Linux
kernel netfilter. The netfilter uses complex hash tables and other data
structures to ensure that packet forwarding rules are looked up in as
close to O(1) as possible, not even LOG(n)--LOG(n) would be way too
expensive.
Other than conventional Cisco router access lists (notwithstanding
compiled lists an TurboACL), I don't know of any other packet filter in
the universe that does not do similarly. No packet filter would apply a
flat list, not the Linux netfilter, not the BSD packet filter, not even
Windows.
I am not sure what you mean by "User Tables" or in what context you
"already tried using a straight list"? What list? Where? Illuminating
that information would go a long way toward solving your question.
Also, don't post as "CDR". That's just retarded.
-- Alex
--
Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/
More information about the asterisk-users
mailing list