[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why not have firewall rules by default?

Henrique de Moraes Holschuh wrote:
> On Wed, 23 Jan 2008, Rolf Kutz wrote:
>   
>> On 23/01/08 08:29 -0700, Michael Loftis wrote:
>>     
>>> It's better to leave the service disabled, or even better, completely  
>>> uninstalled from a security standpoint, and from a DoS standpoint as 
>>> well. The Linux kernel isn't very efficient at processing firewall 
>>> rules.  Newer 
>>>       
>> I thought it was very efficient in doing so. YMMV.
>>     
>
> Quite the contrary. It is *dog* *slow* for non-trivial firewalls.  You have
> to use a number of tricks to optimize the rule walk (many tables, hashing,
> etc), and anything that reduces the number of rules (like IPSet) is a major
> performance bonus.
>   

Are you referring to 2.4 or 2.6 kernel?
If it is 2.6, I suggest you to contact the netfilter mailing list [1],
and show them your firewall rules,
with speed measurements on real workload.
I'm sure they will try to optimize the kernel, if it turns out to be a
bottleneck in the kernel.

[1] http://vger.kernel.org/vger-lists.html#netfilter

Best regards,
--Edwin
Reply to: