Re: Optimizing Kernel for huge iptables ruleset
--- Andrew Porter <andy@defsdoor.demon.co.uk> wrote:
> On Tue, 2004-10-19 at 13:04, Martin G.H. Minkler wrote:
>
> > Two iptables rulesets:
> > The first 'normal' ruleset is pretty restrictive against connetions
> from
> > the outside, more or less open towards connections opened from the
> LAN.
> > The second ruleset inserted after the first is a huge IP blacklist
> > (1.4MB iptables script!) that takes nearly half an hour to be inserted
>
> > into the running ruleset.
>
> There has to be a better way to do this, however -
> Make sure your list's rules are only checking against SYN packets
> Allow non SYN before your list checking chain.
>
In other words, add "-m state --state NEW" for a rule with target pointing
to your blacklist chain.
> This way only new connections will be compared against your massive list
> not every packet.
>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
Reply to: