Thread: [Fwbuilder-discussion] Compiling firewall
Brought to you by:
mikehorn
From: Michael C. <mc...@ho...> - 2008-07-14 17:29:15
|
I am using 2.1.19 installed from the RHEL-5 rpm on CentOS 5.2. I am compiling my firewall using "fwb_ipt -v -f xxx.fwb XXX". I have two rules that make compiling take a long time. One rule specifies to stop any incoming traffic on the internal interface for an address table to be provided at run time. It takes almost a full minute to advance past this rule. The other rule specifies to stop any incoming traffic on the internal interface from an address range specified at compile time to an address range specified at compile time. The first address range contains 15 addresses and the second address range contains 410 addresses. This rule takes nearly 15 minutes to compile. Is there any simple way to speed up these two rules? The compilation of the 5 NAT rules and the 8 other filter rules total under 3 seconds. Thanks. -- Michael Crider Howell-Oregon Electric Cooperative West Plains MO http://www.hoecoop.org -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
From: Michael C. <mc...@ho...> - 2008-07-14 18:42:15
|
Michael Crider wrote: > I am using 2.1.19 installed from the RHEL-5 rpm on CentOS 5.2. I am > compiling my firewall using "fwb_ipt -v -f xxx.fwb XXX". I have two > rules that make compiling take a long time. One rule specifies to stop > any incoming traffic on the internal interface for an address table to > be provided at run time. It takes almost a full minute to advance past > this rule. The other rule specifies to stop any incoming traffic on the > internal interface from an address range specified at compile time to an > address range specified at compile time. The first address range > contains 15 addresses and the second address range contains 410 > addresses. This rule takes nearly 15 minutes to compile. Is there any > simple way to speed up these two rules? The compilation of the 5 NAT > rules and the 8 other filter rules total under 3 seconds. > Thanks. > I figured out one way around it. I moved both compile time address ranges to run time, and removed the files from the computer on which I compile the firewall. They are now only on the machine where the compiled script is run, and the entire firewall compiles in less than 1 second. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |