Re: Why not have firewall rules by default?
Henrique de Moraes Holschuh wrote:
> On Wed, 23 Jan 2008, Rolf Kutz wrote:
>
>> On 23/01/08 08:29 -0700, Michael Loftis wrote:
>>
>>> It's better to leave the service disabled, or even better, completely
>>> uninstalled from a security standpoint, and from a DoS standpoint as
>>> well. The Linux kernel isn't very efficient at processing firewall
>>> rules. Newer
>>>
>> I thought it was very efficient in doing so. YMMV.
>>
>
> Quite the contrary. It is *dog* *slow* for non-trivial firewalls. You have
> to use a number of tricks to optimize the rule walk (many tables, hashing,
> etc), and anything that reduces the number of rules (like IPSet) is a major
> performance bonus.
>
Are you referring to 2.4 or 2.6 kernel?
If it is 2.6, I suggest you to contact the netfilter mailing list [1],
and show them your firewall rules,
with speed measurements on real workload.
I'm sure they will try to optimize the kernel, if it turns out to be a
bottleneck in the kernel.
[1] http://vger.kernel.org/vger-lists.html#netfilter
Best regards,
--Edwin
Reply to: