Andrew Suffield wrote: > On Thu, Jul 12, 2007 at 11:59:46AM +0200, G?tz Reinicke wrote: >> I was thinking about optimizing my rules file. AFAIK the most often used >> connections shoud be at the top (first match) and the least used >> connections should be at the buttom. >> >> Soon we will have some mor lans behind our shorewall, so some >> optimization would be good to controll the traffic. >> >> Is there a way to see, which connections are used most, so I can change >> the order of the rules? (Or am I completly wrong whith my thought...?) > > Unless you have hundreds of rules, the penalty for being at the bottom > of the list will be small compared to the penalty for using iptables > at all. This is unlikely to make an appreciable difference.
Indeed. The penalty for using iptables is paid on every packet while the
penalty for Shorewall rules only occurs on the first packet of session
establishment (exceptions being accounting rules and tcrules).
If you want to see which rules are used the most, you can use the "shorewall
show" command. For example, if you want to see the rules governing
connections from the net zone to the dmz zone, type:
shorewall show net2dmz
The first column of the display is the packet count. You can re-order the
rules in decreasing order of the count but as Andrew says, the result is not
likely to be noticeable.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
