iptables out of memory?

VirginSnow at vfemail.net VirginSnow at vfemail.net
Sun Jun 21 17:22:17 EDT 2009


In message <155dc4110906211101h3c686132t1faca1445cca424 at mail.gmail.com>, Ben Scott writes:
> > ... iptables ... rules ...  the number rarely exceeds 5 digits
> 
>   That's still a heaping huge pile of rules.  :)

> Or have your MTA drop TCP connects on open, based on RBL DNS
> lookups.  While any given instance of the MTA doing that will be
> more expensive than a firewall rule, the fact that your kernel isn't
> wasting time processing 10,000+ firewall rules with every packet
> should be an overall win.

If you're trying to filter TCP connections, your firewall rules could
be optimized by applying the loooooong list of IP tests to SYN packets
only.  If you're filtering traffic which isn't connection oriented
(i.e. UDP), however, you'h still have to check each packet.  But you
only have to ignore one packet to kill a TCP connection: the SYN
packet (and, of course, any of its retransmisions).


More information about the gnhlug-discuss mailing list