[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Optimizing Kernel for huge iptables ruleset

--- Andrew Porter <andy@defsdoor.demon.co.uk> wrote:

> On Tue, 2004-10-19 at 13:04, Martin G.H. Minkler wrote:
> > Two iptables rulesets:
> > The first 'normal' ruleset is pretty restrictive against connetions
> from 
> > the outside, more or less open towards connections opened from the
> LAN.
> > The second ruleset inserted after the first is a huge IP blacklist 
> > (1.4MB iptables script!) that takes nearly half an hour to be inserted
> > into the running ruleset.
> There has to be a better way to do this, however - 
> Make sure your list's rules are only checking against SYN packets
> Allow non SYN before your list checking chain.
In other words, add "-m state --state NEW" for a rule with target pointing
to your blacklist chain.

> This way only new connections will be compared against your massive list
> not every packet.
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org

Do you Yahoo!?
Declare Yourself - Register online to vote today!

Reply to: