Re: [Fwbuilder-discussion] Rules for many individual hosts, binary tree
Brought to you by:
mikehorn
From: Carsten O. <c-...@gm...> - 2007-01-02 18:20:33
|
On Tue, Jan 02, 2007 at 10:06:11AM -0800, Vadim Kurland ??? wrote: > shouldn't netmasks be the other way around - shorter netmask on the =20 > top and longer at the leafs ? Yes, you were too fast :> > it is never a good idea to do per-host policy and/or accounting for a =20 > large network. This cases performance hit on the firewall and makes =20 > the policy quite unmanageable. The system I explained has been working for a very long time, although it was a /23 before. The firewall uses a P4 with 3GHz and does Gigabit routing with some basic firewall rules, mainly accounting, without a significant CPU load. Speeds go up to 950 MBit/sec and we never experienced any problem with that setup. > I am not sure I clearly understand what host template you want, but =20 > actually there is no way to make any host template anyway. :( > You could build such a tree-like structure of rules using new =20 > branching action, available in fwbuilder 2.1 You still need to =20 > create all these network objects. Even though the tree makes packet =20 > analysis efficient, you still need to create a lot of objects if you =20 > want to end up with an individual rule for every host in /22. That's =20 > really too much as it will make the policy huge. It may be easier to =20 > have just one accounting rule and then derive per-host statistics by =20 > analysing the log. How exactly would that work? I'd like to retrieve information like the following examples show (which works with several rules per host): How much traffic from network A did host X do (since last iptables reset)? How many packets did host Y receive from network B? =2E.. Bye and thanks, --=20 Carsten Otto c-...@gm... www.c-otto.de |