[BlueOnyx:26290] Re: Saving APF Blacklist opens firewall

John Simpson john at swajime.com
Tue Jun 13 14:03:36 -05 2023 

Hi Michael,

Thanks for taking the time for the very detailed and informative response.

I'd like to counter if I may.

It is taking a full minute and more to do the complete reload, in which
time there are many hacking efforts at play.

iptables uses chains.  Instead of flushing everything and then building and
adding one chain at a time:
1. Don't flush
2. Create a new chain(s) with the new rules
3. Insert the new chain(s) before the old chain
4. Remove the old chain(s)
5. Rename the new chain(s) to be the same as the old chain(s)

This should leave the existing rules intact while the new chains are built,
and the swap should be almost instantaneous.
This should also mean only the relevant chain needs to be rebuilt.

I do see the implementation already uses chains, so this should be a minor
change to make.

[root at 5209r httpd]# iptables -v -t filter  -S INPUT | grep -- "INPUT -c"
-A INPUT -c 375197 1713824291 -j dfix
-A INPUT -c 137827 30265130 -j REFRESH_TEMP
-A INPUT -c 137532 30249688 -j TALLOW
-A INPUT -c 137532 30249688 -j TDENY
-A INPUT -c 132802 30003618 -j TGALLOW
-A INPUT -c 132802 30003618 -j TGDENY
-A INPUT -c 130848 29569897 -j IN_SANITY
-A INPUT -c 130848 29569897 -j FRAG_UDP
-A INPUT -c 130848 29569897 -j PZERO
-A INPUT -c 130847 29569825 -j IDENT
-A INPUT -c 130834 29567519 -j P2P
-A INPUT -c 5 305 -j DROP
[root at 5209r httpd]# iptables -v -t filter  -S OUTPUT | grep -- "OUTPUT -c"
-A OUTPUT -c 126027 46200594 -j REFRESH_TEMP
-A OUTPUT -c 126027 46200594 -j TALLOW
-A OUTPUT -c 126027 46200594 -j TDENY
-A OUTPUT -c 126026 46200542 -j TGALLOW
-A OUTPUT -c 126026 46200542 -j TGDENY
-A OUTPUT -c 124237 45688665 -j OUT_SANITY
-A OUTPUT -c 124237 45688665 -j FRAG_UDP
-A OUTPUT -c 124237 45688665 -j PZERO
-A OUTPUT -c 124236 45688593 -j IDENT
-A OUTPUT -c 124223 45687744 -j P2P
-A OUTPUT -c 44996 5478097 -j ACCEPT
[root at 5209r httpd]# iptables -v -t filter  -S INPUT | wc -l
172
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20230613/c241f507/attachment.html>

More information about the Blueonyx mailing list