> Hello Cameron,
>
> Monday, September 24, 2001, 2:02:25 AM, you wrote:
>
> [...]
> CS> Instead, why not make a special chain for Nimda, and only divert
> processing to CS> it for incoming SYN packets aimed at port 80? That
> way almost everything CS> else goes through your normal tiny set of
> rules, and only incoming HTTP CS> connections incur the analysis
> penalty.
>
> CS> ipchains -I input -p tcp -y -d 0.0.0.0/0 http -j NIMDA
>
> CS> and do the processing in the NIMDA chain.
>
> Very good idea. It would seem that most of the Nimda infected
> machines on the same class networks have either been disconnected or
> patched. So this should now be a viable solution (with a lot less than
> 2400 IPs). Thanks for the tip!
>
> --
> Best regards,
> Brian Curtis
Just wondering ... Yes I totally agree with Cameron ... but what
is the actual problem here?
I presume that noone would be silly enough to have a top level chain
with a very large number of rules - so the very first step would no
doubt be what Cameron has suggested.
But really, unless you are talking about a stand alone computer that you
use a lot of CPU for whatever esle you normally do, I can't see why a
large chain would really be that much of a problem.
My router is a P166 with 160Mb of RAM so it is pretty slow, and my chains
have over 300 rules in them because I break my 128 IP address range up
into 4 subnets with different rules on the different subnets. The same
computer runs 3 tcpdump processes and I don't get any performance
problems on a 1.5Mbit/256K ADSL connection where my Linux computers can
get full bandwidth on close links
(but for the Windows people out there - Windows can't do it! - and I have
tried the same file on the same link one after the other and Windows
can't handle 1.5Mbit on a PIII500 but a Linux P120 can :-)
So if you are running a reasonable computer you should be able to run a
pretty big chain without any problems!
Try it out and then if you get performance problems - worry about it then.
I'd be interested in how big a chain you could run without performance
problems on a fast computer :-)
-Cheers
-Andrew
--
MS ... if only he hadn't been hang gliding!
_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
