Re: Optimizing Kernel for huge iptables ruleset
--- Andrew Porter <firstname.lastname@example.org> wrote:
> On Tue, 2004-10-19 at 13:04, Martin G.H. Minkler wrote:
> > Two iptables rulesets:
> > The first 'normal' ruleset is pretty restrictive against connetions
> > the outside, more or less open towards connections opened from the
> > The second ruleset inserted after the first is a huge IP blacklist
> > (1.4MB iptables script!) that takes nearly half an hour to be inserted
> > into the running ruleset.
> There has to be a better way to do this, however -
> Make sure your list's rules are only checking against SYN packets
> Allow non SYN before your list checking chain.
In other words, add "-m state --state NEW" for a rule with target pointing
to your blacklist chain.
> This way only new connections will be compared against your massive list
> not every packet.
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
Do you Yahoo!?
Declare Yourself - Register online to vote today!