[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall-troubleshooting

Daniel Pittman wrote:
> ...
>>>Finally, that is a pretty complex firewall script, and obviously
>>>somewhat hard to maintain.  Maybe you would get better value for your
>>>time by using an existing firewall helper like 'firehol', or something,
>>>than re-doing the work that went into the existing tools?
>>>Of course, if your aim is to learn iptables rather than just get it
>>>working, that loses. ;)
>>Yes the script is kind of long and tedious in its respects. 
> Well, a decent firewall is when you express it in iptables -- the
> assembly language of firewalls. ;)

Well-put.  Once i learned the assembly language basics, i gave up in
favour of a higher-level language equivalent: shorewall.  I was sold on
it from the day i rewrote my 1000-line ipchains script with 50 lines of
shorewall configuration.  See http://www.shorewall.net for details.

> ...
> On most of the systems that people use for firewalling these
> days, the performance cost of the various tests is next to invisible,
> because the machines are grossly overpowered.

Once again, nicely put!  :-)

> For example, the smallest thing I look after that does firewalling is my
> P3-550 at home, which replaced a Pentium-233, both of which could have
> handled vastly more firewall rules than I ever had, despite a much more
> complex setup than your script manages.
> So, unless you actually notice a performance problem you are probably
> wasting your time trying to "micro-optimize" your firewall that way,
> in my opinion.

Indeed.  I recently upgraded my main firewall at home to a beefy Celeron
600!  :-)

Did you know?  Using accepted quoting conventions makes
your email easier to understand.  Learn how at

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: