From: Steve P. <sp...@tr...> - 2003-03-24 20:13:49
|
I have Shorewall running on a Pentium 500 with 256 in RAM. This machine is the firewall for several web servers and a mailgateway that handles a couple thousand pieces of mail a day (net ->dmz->loc). I am trying to be extremely paranoid about connections from loc to dmz, and have around 150 rules for it so far. This could probably go to 300 pretty easily. Is there a point when you have to many rules and it will start affecting service? Thanks for your time! |
From: Tom E. <te...@sh...> - 2003-03-24 20:18:27
|
On Mon, 24 Mar 2003, Steve Postma wrote: > I have Shorewall running on a Pentium 500 with 256 in RAM. This machine is > the firewall for several web servers and a mailgateway that handles a couple > thousand pieces of mail a day (net ->dmz->loc). I am trying to be extremely > paranoid about connections from loc to dmz, and have around 150 rules for it > so far. Interesting -- I would have thought that as the level of paranoia went up that the number of rules would come down! > This could probably go to 300 pretty easily. Is there a point when > you have to many rules and it will start affecting service? Thanks for your > time! > Sure -- every new connection request needs to run the gauntlet of the rules defined for that source and destination zone until a match is found. So it pays to look at these chains and order them based on the amount of traffic that you are seeing. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ te...@sh... |