Re: [Eug-lug] iptables speed with large rulesets?

Thu, 03 Jun 2004 09:06:12 -0700 


perdurabo <[EMAIL PROTECTED]> writes:


 % My question, NO, questions are:

 % 1.) Will having large IPTables rulesets cause a significant
 % performance hit? I have plenty of resources to spare as all the crap I
 % have running on it now aren't taxing it much. Facts and educated
 % opinion appreciated.

 Yes, a large or complex rule set wil give you a performance hit.
 But not worse than you get with Spam Assassin.

 But, I am not clear on why you want to do this.

 If you are rejecting things on the RBL in sendmail, what
 are you gaining by having yet another list to manage?

 We process over 300,000 spam messages a day at our
 company. (http://www.ao.com) 
 There are LOTS of lists where people are having typing 
 problems and say ao.com instead of aol.com

 Between 550 rejection in sendmail and spamassassian,
 we drop lots of the messages. 

 This is so effective, that I am not clear on the iptables win.
 
 In fact, I fully expect that your iptables solution will
 come back to bite you, when you block someone who you needed
 not to block, and you have to debug why it is not working. 

 % 2.) Is there a port of OpenBSD's spamd available for Linux? I've
 % searched on Google with no luck. Are there any other slick tarpitting
 % solutions for Linux? If I could find something, I'd probably do this
 % in leiu of the iptables route, just to screw with the spammers and
 % help other folks on the net.

 Most of the "spammers" out there are actually home machines,
 small business machines, or university machines that have been
 coopted into sending or resending spam.

 When you have a U of O host that gets compromised and you 
 block U of O because of it, you might be surpized at how
 fast your network shrinks.

 "Messing with spammers" probably translates to you giving 
 your neighbors trouble, and breaking things  for unsuspecting
 innocents.

 Will you be blocking all of comcast too? 

 In general, it does not seem like a path that leads to a happier
 healthier network.






-----
John Sechrest          .         Helping people use
                        .           computers and the Internet
                          .            more effectively
                             .                      
                                 .       Internet: [EMAIL PROTECTED]
                                      .   
                                              . http://www.peak.org/~sechrest
_______________________________________________
EUGLUG mailing list
[EMAIL PROTECTED]
http://www.euglug.org/mailman/listinfo/euglug

Reply via email to