Integrate an IP blacklist filter into firewall on baron
|Reported by:||zooey||Owned by:||haiku-web|
Our services receive quite a lot of unwanted traffic, most notably SPAM-waves hitting our Trac and Drupal instances. Additionally, there are a number of misbehaving web crawlers which produce unnecessary load on our http servers.
Supplementary to fighting the problem for each service individually (by using spamfilters and/or apache redirect rules), it seems like a good idea to try and get rid of at least part of that traffic by applying an IP blacklist filter at baron's firewall. This should reduce the bad traffic reaching baron and all of the VMs running on it.
ipset-blacklist looks like a promising candidate for the job.
We need to investigate how that could be integrated with the
SuSEfirwall configuration script, such that the IP blacklist filter persists across reboots.