Henrique de Moraes Holschuh wrote: > On Wed, 23 Jan 2008, Rolf Kutz wrote: > >> On 23/01/08 08:29 -0700, Michael Loftis wrote: >> >>> It's better to leave the service disabled, or even better, completely >>> uninstalled from a security standpoint, and from a DoS standpoint as >>> well. The Linux kernel isn't very efficient at processing firewall >>> rules. Newer >>> >> I thought it was very efficient in doing so. YMMV. >> > > Quite the contrary. It is *dog* *slow* for non-trivial firewalls. You have > to use a number of tricks to optimize the rule walk (many tables, hashing, > etc), and anything that reduces the number of rules (like IPSet) is a major > performance bonus. >
Are you referring to 2.4 or 2.6 kernel? If it is 2.6, I suggest you to contact the netfilter mailing list [1], and show them your firewall rules, with speed measurements on real workload. I'm sure they will try to optimize the kernel, if it turns out to be a bottleneck in the kernel. [1] http://vger.kernel.org/vger-lists.html#netfilter Best regards, --Edwin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
