[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Thu Jun 2 19:14:34 2005 -->
- <!--x-from-r13: wxvaarl ng ybpnyargfbyhgvbaf.pbz (Xnzrf B. Yvaarl WWW) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: 1117746280.21522.21.camel@localhost --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] iptables limits? -->
- <li><em>date</em>: Thu Jun 2 19:14:34 2005</li>
- <li><em>from</em>: jkinney at localnetsolutions.com (James P. Kinney III)</li>
- <li><em>in-reply-to</em>: <1117746280.21522.21.camel@localhost></li>
- <li><em>references</em>: <1117746280.21522.21.camel@localhost></li>
- <li><em>subject</em>: [ale] iptables limits?</li>
27000+ !!
You need to get out more and see the big blue room :)
Ram is the only limit I have seen in the kernel specs on it. For most
modern systems that are mostly dedicated to firewalling, the wire speed
will always be the limiting factor. The iptables process (barring
strange loops that are VERY BAD) is a quite streamlined, multi-threaded
process. I do know that performance can suffer if rule ordering is poor
and every packet is forced through every table. I get pretty good
results with a table for each protocol/port that is allowed that nees
further filtering to block out bozo's (morons doing ssh scans should get
blocked on all ports as they are up to no good)
I don't know about mental space to keep the rule alignment right...
>
> Thx,
>
> -Jim P.
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
--
James P. Kinney III \Changing the mobile computing world/
CEO & Director of Engineering \ one Linux user /
Local Net Solutions,LLC \ at a time. /
770-493-8244 \.___________________________./
<a rel="nofollow" href="http://www.localnetsolutions.com";>http://www.localnetsolutions.com</a>
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00116" href="msg00116.html">[ale] iptables limits?</a></strong>
<ul><li><em>From:</em> jimpop at yahoo.com (Jim Popovitch)</li></ul></li>
<li><strong><a name="00117" href="msg00117.html">[ale] iptables limits?</a></strong>
<ul><li><em>From:</em> cfowler at outpostsentinel.com (Christopher Fowler)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00104" href="msg00104.html">[ale] iptables limits?</a></strong>
<ul><li><em>From:</em> jimpop at yahoo.com (Jim Popovitch)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00113.html">[ale] News bulletin: The temperature seems to be cooling down in Hell!!!</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00115.html">[ale] News bulletin: The temperature seems to be cooling down in Hell!!!</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00109.html">[ale] iptables limits?</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00116.html">[ale] iptables limits?</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00114"><strong>Date</strong></a></li>
<li><a href="threads.html#00114"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>