Re: Optimizing Kernel for huge iptables ruleset

To: debian-firewall@lists.debian.org
Cc: Debian Firewall - LIST <debian-firewall@lists.debian.org>, users-l@lists.adamantix.org
Subject: Re: Optimizing Kernel for huge iptables ruleset
From: Andrew Porter <andy@defsdoor.demon.co.uk>
Date: Tue, 19 Oct 2004 13:45:38 +0100
Message-id: <[🔎] 1098189938.4198.3.camel@defslap>
In-reply-to: <[🔎] 417502B0.9090004@gmx.net>
References: <[🔎] 417502B0.9090004@gmx.net>

On Tue, 2004-10-19 at 13:04, Martin G.H. Minkler wrote:

> Two iptables rulesets:
> The first 'normal' ruleset is pretty restrictive against connetions from 
> the outside, more or less open towards connections opened from the LAN.
> The second ruleset inserted after the first is a huge IP blacklist 
> (1.4MB iptables script!) that takes nearly half an hour to be inserted 
> into the running ruleset.

There has to be a better way to do this, however - 
Make sure your list's rules are only checking against SYN packets
Allow non SYN before your list checking chain.

This way only new connections will be compared against your massive list
not every packet.

Reply to:

Follow-Ups:
- Re: Optimizing Kernel for huge iptables ruleset
  - From: Andrew Porter <andy@defsdoor.demon.co.uk>
- Re: Optimizing Kernel for huge iptables ruleset
  - From: Mike Mestnik <cheako911@yahoo.com>

References:
- Optimizing Kernel for huge iptables ruleset
  - From: "Martin G.H. Minkler" <dukeofnukem@gmx.net>

Prev by Date: Optimizing Kernel for huge iptables ruleset
Next by Date: Re: Optimizing Kernel for huge iptables ruleset
Previous by thread: Optimizing Kernel for huge iptables ruleset
Next by thread: Re: Optimizing Kernel for huge iptables ruleset
Index(es):
- Date
- Thread