>> Why not just '/sbin/iptables -j DROP' the incoming packets at the firewall? >> That's what I do for around 60,000 /24 networks that pain me, not to mention >> a few /8. :)
> The firewall still needs to spend cycles processing the incoming packets to > determine if it should be dropped. This is the issue. I'm missing something. 4000 packets per second isn't a big number. I'd expect that looking up an IP address in a firewall wouldn't need many cycles. It's either a single hash table probe or something like up to 32 steps on a search-tree. I'd expect that to use less CPU than sending the packet through a driver. Is the problem logging dropped packets, or something like that? Are you running the firewall on old/slow hardware? -- These are my opinions, not necessarily my employer's. I hate spam. _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
