I have a service that automates the Proxmox Firewall based on a few inputs, like HTTP traffic analysis. The goal here is to block malicious traffic on the firewall level (primarily LLM crawling bots and vulnerability scanners). To achieve that, I have a tool that fires a lot of requests to the IPSet API endpoint at
Earlier today, I hit a state where the list of blocked IPs exceeded something like 250k, and then everything became unhappy.
I now wonder how to best deal with this. One option I of course have is to automate iptables or nfttables manually myself, which, according to some earlier threads like this should maybe be fine? However, I do wonder if there's an alternative solution to this, so I'm curios if there are any alternative approaches to blocklisting a large number of IPs.
/cluster/firewall/ipset/{name}/{cidr}, and that works fine. Usually.Earlier today, I hit a state where the list of blocked IPs exceeded something like 250k, and then everything became unhappy.
pve-firewall started failing with status update error: No buffer space available errors, and the HTTP API and the browser UI also started failing with the same error. So I think what happened is that my /etc/pve/firewall/cluster.fw file exceeded some sort of max-buffer size? I was able to recovery by editing the firewall config file manually and restarting the daemon, but of course, that's not great.I now wonder how to best deal with this. One option I of course have is to automate iptables or nfttables manually myself, which, according to some earlier threads like this should maybe be fine? However, I do wonder if there's an alternative solution to this, so I'm curios if there are any alternative approaches to blocklisting a large number of IPs.
