Re: Optimizing Kernel for huge iptables ruleset

To: Andrew Porter <andy@defsdoor.demon.co.uk>, debian-firewall@lists.debian.org
Cc: Debian Firewall - LIST <debian-firewall@lists.debian.org>, users-l@lists.adamantix.org
Subject: Re: Optimizing Kernel for huge iptables ruleset
From: Mike Mestnik <cheako911@yahoo.com>
Date: Tue, 19 Oct 2004 16:03:02 -0700 (PDT)
Message-id: <[🔎] 20041019230302.1570.qmail@web11905.mail.yahoo.com>
In-reply-to: <[🔎] 1098189938.4198.3.camel@defslap>

--- Andrew Porter <andy@defsdoor.demon.co.uk> wrote:

> On Tue, 2004-10-19 at 13:04, Martin G.H. Minkler wrote:
> 
> > Two iptables rulesets:
> > The first 'normal' ruleset is pretty restrictive against connetions
> from 
> > the outside, more or less open towards connections opened from the
> LAN.
> > The second ruleset inserted after the first is a huge IP blacklist 
> > (1.4MB iptables script!) that takes nearly half an hour to be inserted
> 
> > into the running ruleset.
> 
> There has to be a better way to do this, however - 
> Make sure your list's rules are only checking against SYN packets
> Allow non SYN before your list checking chain.
> 
In other words, add "-m state --state NEW" for a rule with target pointing
to your blacklist chain.

> This way only new connections will be compared against your massive list
> not every packet.
> 
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 



		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

Reply to:

References:
- Re: Optimizing Kernel for huge iptables ruleset
  - From: Andrew Porter <andy@defsdoor.demon.co.uk>

Prev by Date: Re: iptables -A or iptables -I?
Next by Date: Re: iptables -A or iptables -I?
Previous by thread: Re: Optimizing Kernel for huge iptables ruleset
Next by thread: Re: Optimizing Kernel for huge iptables ruleset
Index(es):
- Date
- Thread