[ale] iptables limits?
James P. Kinney III
jkinney at localnetsolutions.com
Thu Jun 2 19:14:34 EDT 2005
On Thu, 2005-06-02 at 17:04 -0400, Jim Popovitch wrote:
> Are there any known limits to the number of rules in iptables? I
> currently have about 27000+ rules, with no noticeable issues. What's
> the upper limit, if there is any, and what are the limiting factors?
27000+ !!
You need to get out more and see the big blue room :)
Ram is the only limit I have seen in the kernel specs on it. For most
modern systems that are mostly dedicated to firewalling, the wire speed
will always be the limiting factor. The iptables process (barring
strange loops that are VERY BAD) is a quite streamlined, multi-threaded
process. I do know that performance can suffer if rule ordering is poor
and every packet is forced through every table. I get pretty good
results with a table for each protocol/port that is allowed that nees
further filtering to block out bozo's (morons doing ssh scans should get
blocked on all ports as they are up to no good)
I don't know about mental space to keep the rule alignment right...
>
> Thx,
>
> -Jim P.
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
--
James P. Kinney III \Changing the mobile computing world/
CEO & Director of Engineering \ one Linux user /
Local Net Solutions,LLC \ at a time. /
770-493-8244 \.___________________________./
http://www.localnetsolutions.com
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
More information about the Ale
mailing list