> Jopoy C. Solano wrote: >> Would a lot of iptables rules slow down the machine? > > Slow down the machine itself? Or slow down network traffic? > iptables itself compared to other packet filters like ipf or ipfw is > very fast because it resides on kernel space, overhead is almost a > non-issue. (unlike for example ipf or ipfw which uses userland tools)
imho ipf/ipfw also resides in kernel space. (e.g. options IPFILTER). iptables also uses a userland tool to alter ruleset via 'iptables' command itself. by default, iptables may be noticeably faster only in stateless filtering. its due to the fact that it evaluates the rules set only once by using a forwarding chain. the forwarding chain evaluates the rules set based on a packet's complete path through the machine. and the reason why iptables may be "faster(?)" than other packet filters like ipf was due to lack of true stateful tracking. iptables only uses "connection tracking" which does not monitor the sid (but i think this functionality is available already via patch-o-matic). overhead due to hundreds of iptables rules may not be an issue to others. cheers! -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
