I've been forced to revamp my firewall to accommodate fewer rule entries. It seems that the capacity of rule space is finite to the point that I've run out of it for new rules.
This being the case, I am forced to opt for more class A network blocks than I had originally envisioned.
The class A networks are all foreign with no domestic networks being affected.
I hate to resort to such heavy handed tactics but I will not be exploited and those presenting this manner of problem will simply stay off of my cluster.
I'm also considering the addition of mail server filters in lieu of firewall rules to handle the overflow. They're quick and easy and log the intrusions.
The mail server is much less restrictive than the web server from a perspective of general access because I try to allow valid traffic — and fact is I like to keep it out of the firewall as much as possible.
The requirement of this level of prevention is a very sad notion indeed, but reality sometimes leads us down paths we'd just as soon avoid.