Re: Why not have firewall rules by default?
On Fri, 25 Jan 2008, Török Edwin wrote: > If it is 2.6, I suggest you to contact the netfilter mailing list [1], > and show them your firewall rules, What makes you think they don't know about this? It is a design detail of the way netfilter is implemented, and the two methods of acceleration I mentioned (ip sets and hipac) are linked in the front page of www.netfilter.org. Hashes and other ways of making the packet travel a tree of tables instead of a single very long one is just an obvious way to optimize it from userspace. > with speed measurements on real workload. There are papers on these, also linked (indirectly, I believe) from www.netfilter.org. I have read at least one by the ip set guys, and another from the hipac guys about one year ago. I expect the netfilter.org crew actually *write* such papers when they are bored, there is no way they don't know about it. It is a trade-off on code complexity or some such. And standard netfilter *is* good enough for most uses, plus with the way CPU power is increasing, it is likely to remain good enough for most uses for quite a while yet. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Why not have firewall rules by default?
Henrique de Moraes Holschuh wrote: > On Wed, 23 Jan 2008, Rolf Kutz wrote: > >> On 23/01/08 08:29 -0700, Michael Loftis wrote: >> >>> It's better to leave the service disabled, or even better, completely >>> uninstalled from a security standpoint, and from a DoS standpoint as >>> well. The Linux kernel isn't very efficient at processing firewall >>> rules. Newer >>> >> I thought it was very efficient in doing so. YMMV. >> > > Quite the contrary. It is *dog* *slow* for non-trivial firewalls. You have > to use a number of tricks to optimize the rule walk (many tables, hashing, > etc), and anything that reduces the number of rules (like IPSet) is a major > performance bonus. > Are you referring to 2.4 or 2.6 kernel? If it is 2.6, I suggest you to contact the netfilter mailing list [1], and show them your firewall rules, with speed measurements on real workload. I'm sure they will try to optimize the kernel, if it turns out to be a bottleneck in the kernel. [1] http://vger.kernel.org/vger-lists.html#netfilter Best regards, --Edwin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Why not have firewall rules by default?
On Wed, 23 Jan 2008, Rolf Kutz wrote: > On 23/01/08 08:29 -0700, Michael Loftis wrote: >> It's better to leave the service disabled, or even better, completely >> uninstalled from a security standpoint, and from a DoS standpoint as >> well. The Linux kernel isn't very efficient at processing firewall >> rules. Newer > > I thought it was very efficient in doing so. YMMV. Quite the contrary. It is *dog* *slow* for non-trivial firewalls. You have to use a number of tricks to optimize the rule walk (many tables, hashing, etc), and anything that reduces the number of rules (like IPSet) is a major performance bonus. Or you can rip the standard netfilter firewall out, and install a high-performance one (such as HiPAC), but those are mostly unmaintained these days, and have a lot less features than the standard one. You need to be doing some *heavy* firewalling (many rules) for any of that to really matter, and on very fast links (gigabit) because nobody will notice the firewall's speed on something as a 10Mbit/s link... -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Why not have firewall rules by default?
Hi Little something on the side, while its in my mind. If there was anything i would like to see, that is more of the netfilters patch o matic's available in the kernel. Hence, less need to wget patch o matic and to follow the process. Its not a big task, but still, total time waster. Anyway, know this will fall on deaf ears. so keep cool. Regards and all the best. Brent Clark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]