[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 30 January 2003 3:43 pm, Purvis Robert wrote: > How many rules would you say are "too many" to cause ipchains to crash? I'm > just starting tightening up on one of our servers using ipchains. I don't > want to shoot myself in the foot. hmm, dunno about the aincient ipchains (why is anyone still using it? :p), but with iptables ... some of our firewalls have literally thousands of rules though the boxes are very beefy with looooots of ram and network cards, not your average vanilla server. If you only have a few (less than 100) rules on a single server that is not shifting much traffic, then it's not really worth making your rules into 'trees'. If you shift lots of bandwdith, probbaly more than 20mb/sec on a medium spec box, then you'll see a benifit gain, although it does entirly depend on your rules and how they are ordered. If you shift lots of traffic, or have hundreds of rules, just make sure you balance your rules over multiple chains, instead of sticking eveything into INPUT, do somethign like (use your imagination): - -IINPUT -p tcp -d 192.168.0.0/24 -j INT1_TCP - -IINPUT -p udp -d 192.168.0.0/24 -j INT1_UDP - -IINPUT -p tcp -d 192.168.1.0/24 -j INT2_TCP - -IINPUT -p udp -d 192.168.1.0/24 -j INT2_UDP then add into each one .. - -IINT1_TCP -p tcp --dport 80 -j ACCEPT - -IINT1_UDP -p udp --dport 161 -s 1.2.3.4 -j ACCEPT - -IINT2_TCP -p tcp --dport 22 -s 1.2.3.4 -j ACCEPT - -IINT2_UDP -p tcp --dport 53 -j ACCEPT etc. in the case i was talkign about before, we knock it down another level, and match on source and destination IP in some cases. 99% of the time, this is really not nessicary, but when you have thousands of rules, instead of going through each one in order, you're saving a lot of time (but waisting a wee bit of memory), and generally only interating through 2 or 3 rules before actually hitting a match. Obviously, the rules are travered in order, so make sure you put the most commonly hit rules at the top of your chains. hope that helps, ~ Theo - -- Theo Zourzouvillys <theo@xxxxxxxxxxxxxxxx> <http://theo.me.uk/> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+OUy6448CrwpTn6YRAlilAKC4/9WP4Ti5Q6POqu5HdvcpfI0xVgCg6WTV g1u7Q+HaZuVspf5M5bhuJ8A= =C0t1 -----END PGP SIGNATURE----- -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.