Hi, Our university network (134.60.*.*) currently uses a Checkpoint firewall, but (due do some problems) we want to switch to a linux 2.4 iptables firewall.
Currently, we have an allow all, deny some policy, but our new (planned) policy would be deny all, allow some with udp and incoming tcp, and deny some on outgoing tcp. As there is no real pattern regarding which IP addresses provide which services (each local department admin is free to offer services - this is a university), this could easily result in a few thousand rules. As the firewall has to cope with about 600 MBit peak bandwidth, scalability is an issue. A linear walk-through over those thousands of rules would sure be much to slow. I did some googling, and scanned through the FAQ and most of the Howtos on netfilter.samba.org, but didn't find anything useful about scalability. So now our question is: How scalable is the linux firewalling architecture? Is there any internal optimization on the rules? Do you have any pointers to documentation or benchmark results about this? Thank you very much, markus -- "Ihre Meinung ist mir zwar widerlich, aber ich werde mich dafuer totschlagen lassen, dass sie sie sagen duerfen." - Voltaire
