Guy,
Tuesday, August 27, 2002 you wrote:
GI> This seems to be in line with my observation that no one (to my knowledge)
GI> ever reported a deterioration in performance with largish ACLs (or rules,
GI> etc.). I simply wonder if going from 700 entries to 7,000 would incur a
GI> ten-fold penalty -- whether this is discernable or not depends on the
GI> hardware used, obviously.
At the rate I'm going it appears I may find out!
Actually the sense I have is that IMAIL will handle several
thousand ranges without too much trouble because I believe they
are stored in memory for the program. I'm certain there is some
sort of limit but I suspect it is pretty large.
GI> Do you have an estimate as to how this number weighs as regards the whole
GI> process? Even something as basic as saying it's linear or it's exponential?
I don't know right now. I chose 5 because I saw a lot of mistakes
but few that made it to 5. I'm tailing the log and refreshing
every 1 second and 5 seems to be a reasonable number that doesn't
capture too many valid mistakes but also catches most of the
attacks which generally are in the 20 to 25 recipient range.
I'm going to try a shorter interval but my suspicion is that the
log is not flushed on each line so it may not be an improvement.
The ideal way to do this in my opinion would be a setting with
IMAIL that allows you to set this number. I think the way I'm
doing it is poor at best.
I did try to test Roger's Black Ice but ISS has not been very
helpful in that regard so I've still been unable to demo it.
GI> Thanks for reporting on your current project status. Sorting and
GI> then determining IP ranges makes sense although it is not trivial,
GI> as I see it. What language are you using, btw?
I'm using Perl. Actually I've made a lot of progress. The
program is running just as a script right now. But I have a
working service program that I'm still writing. I have solved all
the daemon issues so I can install it, start it, stop it, and
remove it. And I have it more or less working with smaller
intervals than 1 second.
The range issue isn't too bad. I've already done some of that in
the acl maintenance interface I wrote so I think I will be able to
sort the list and then determine cidr notation which I then
convert to ip and mask.
The whole thing is pretty involved really. Determining what
constitutes a violation appears easy but is more difficult in
fact. Then there is the range issue and when the acl file should
be rewritten and logic to test it to see if it was changed first
and then how to merge and so on. And you have to toggle the smtp
service too.
Roger's black ice is a better idea I think all way around or some
sort of builtin logic to IMAIL or switch to Len's IMGATE.
Terry
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
