[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] iptables limits?

Subject: [ale] iptables limits?
From: bob at verysecurelinux.com (Bob Toxen)
Date: Fri Jun 3 11:31:52 2005
In-reply-to: <1117746280.21522.21.camel@localhost>
References: <1117746280.21522.21.camel@localhost>

On Thu, Jun 02, 2005 at 05:04:40PM -0400, Jim Popovitch wrote:
> Are there any known limits to the number of rules in iptables?  I
> currently have about 27000+ rules, with no noticeable issues.  What's
> the upper limit, if there is any, and what are the limiting factors?
It would be trivial to write a shell script to test if there is a
limit at 32K or 64K to test for possible 16-bit signed or unsigned
limits.  Beyond that, speed and memory are the likely limits.

Over T1 speeds that number of rules on a 1GHz+ processor should be ok.
You won't be able to saturate a 100MHz Ethernet by any means.  If you
push lots of data between an internal network and a DMZ, you'll want to
put the rules that allow that traffic near the top of the chains, as
I do for clients.

I do suspect, though, that you could optimize your rule set to be
smaller.

> Thx,

> -Jim P.

Best regards,

Bob Toxen, CTO
Fly-By-Day Consulting, Inc.
d/b/a Horizon Network Security
"Your expert in Firewalls, Virus and Spam Filters, VPNs,
Network Monitoring, and Network Security consulting"

http://www.verysecurelinux.com       [Network & Linux/Unix Security Consulting]
http://www.realworldlinuxsecurity.com [My 5* book: "Real World Linux Security"]
http://www.verysecurelinux.com/sunset.html                    [Sunset Computer]
bob at verysecurelinux.com (e-mail)

References:
- [ale] iptables limits?
  - From: jimpop at yahoo.com (Jim Popovitch)

Prev by Date: [ale] SMTP and PGP mail
Next by Date: [ale] SMTP and PDG mail
Previous by thread: [ale] iptables limits?
Next by thread: [ale] News bulletin: The temperature seems to be cooling down in Hell!!!
Index(es):
- Date
- Thread