On Fri, 19 Apr 2002 07:56:03 -0400
begin Joel Hammer <[EMAIL PROTECTED]> spewed forth:
> I use ipchains on my firewall.
> I have a lot of rules in it, some no longer needed.
> Is there any performance hit to your transfer speed (I am on a cable
> modem) with ipchains due to the number of defined rules?
If you're running a 386-20 w/ 8Mb RAM and over 100 rules (the most used
being at the very end), and you're running a _lot_ of traffic through it
(not a typical home connection), then you might notice a slowdown.
> Along the same lines, is it significantly more efficient to have one
> rule blocking several ports rather than several rules, each blocking one
> port? Any insight appreciated.
Yes it is much more efficient to use one rule than 10 regardless of how
many ports you match within the rule.
But it is significantly more efficient to upgrade to iptables. With
iptables, you have connection tracking. The original connection hits a
rule, subsequent packets from the same connection don't run the table,
they are treated according to the rule for that connection -- orders of
magnitude faster, esp. if you have lots of rules.
And if you use iptables state match, you can often reduce the number of
rules significantly.
Ciao,
David A. Bandel
--
Focus on the dream, not the competition.
-- Nemesis Racing Team motto
_______________________________________________
Linux-users mailing list - http://linux-sxs.org/mailman/listinfo/linux-users
Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
