On Tue, Nov 14, 2006 at 08:25:24PM -0800, Tom Eastep wrote: > > Until I saw this, I hadn't realised that zones were both expensive and > > unnecessary here. I guess the performance issues arise from using > > large numbers of zones, because you get N*N possible chains with N > > zones. > > Shorewall's performance is O(n * n) where n = number of networks. Each > entry in /etc/shorewall/interfaces that specifies a zone in the ZONE > column and each entry in /etc/shorewall/hosts is one network.
> > I presume it won't matter if I have to list the interfaces in full, > > instead of using wildcards. > > Wrong!!! See above. Ah, now that piece of information definitely should be documented somewhere, it's not at all obvious. I'll have to keep this in mind when designing the networks in future... but I think what I'll want to do on the more complicated firewalls is use an ipset instead, that should solve the problem neatly. > You are welcome to join the Shorewall documentation team. I didn't know that there was such a thing. I'm not really inclined to spend much time on documentation, but I might send a patch to fix the things I've spotted here... ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
