Daniel Pittman wrote: > ... >>>Finally, that is a pretty complex firewall script, and obviously >>>somewhat hard to maintain. Maybe you would get better value for your >>>time by using an existing firewall helper like 'firehol', or something, >>>than re-doing the work that went into the existing tools? >>> >>>Of course, if your aim is to learn iptables rather than just get it >>>working, that loses. ;) >> >>Yes the script is kind of long and tedious in its respects. > > > Well, a decent firewall is when you express it in iptables -- the > assembly language of firewalls. ;) Well-put. Once i learned the assembly language basics, i gave up in favour of a higher-level language equivalent: shorewall. I was sold on it from the day i rewrote my 1000-line ipchains script with 50 lines of shorewall configuration. See http://www.shorewall.net for details. > ... > On most of the systems that people use for firewalling these > days, the performance cost of the various tests is next to invisible, > because the machines are grossly overpowered. Once again, nicely put! :-) > For example, the smallest thing I look after that does firewalling is my > P3-550 at home, which replaced a Pentium-233, both of which could have > handled vastly more firewall rules than I ever had, despite a much more > complex setup than your script manages. > > So, unless you actually notice a performance problem you are probably > wasting your time trying to "micro-optimize" your firewall that way, > in my opinion. Indeed. I recently upgraded my main firewall at home to a beefy Celeron 600! :-) -- Paul <http://paulgear.webhop.net> -- Did you know? Using accepted quoting conventions makes your email easier to understand. Learn how at <http://www.netmeister.org/news/learn2quote.html>.
Attachment:
signature.asc
Description: OpenPGP digital signature