Re: [SSHGuard-users] performance when using firewalld: adding/removing many entries at once

[Kevin Z. <kev...@gm...>]

On 1/9/22 9:22 PM, Kevin Buckley wrote:
> 2h 00min 13916
> 1h 45min 12116  15mins 1800    120.00/m   2.00/s
> 1h 12min  8405  33mins 3711    112.45/m   1.87/s
> 1h  8min  7936   4mins  469    117.25/m   1.95/s

These numbers don't look good.

I don't have a system handy where I can test firewall-cmd, but is there 
an interface (or another command) that lets you bulk-add address to an 
ipset without invoking firewall-cmd once per address?

I took a cursory look at what our "competitor" fail2ban does:

https://github.com/fail2ban/fail2ban/blob/80805cabfcf57dd0454d47d7f86d43c6738ce629/config/action.d/firewallcmd-ipset.conf

Which, to summarize, seems to be:

actionban = firewall-cmd --ipset=<ipmset> --add-entry=<ip>

actionunban = firewall-cmd --ipset=<ipmset> --remove-entry=<ip>

Which seems to be exactly what SSHGuard is doing.

Anyone with more Linux firewall experience who could tell us if there's 
a faster way to add to a firewalld ipset? Is it time to teach SSHGuard 
how to use the dbus interface?

Regards,
Kevin