Re: Why not have firewall rules by default?

Henrique de Moraes Holschuh wrote:
> On Wed, 23 Jan 2008, Rolf Kutz wrote:
>
>> On 23/01/08 08:29 -0700, Michael Loftis wrote:
>>
>>> It's better to leave the service disabled, or even better, completely
>>> uninstalled from a security standpoint, and from a DoS standpoint as
>>> well. The Linux kernel isn't very efficient at processing firewall
>>> rules. Newer
>>>
>> I thought it was very efficient in doing so. YMMV.
>>
>
> Quite the contrary. It is *dog* *slow* for non-trivial firewalls. You have
> to use a number of tricks to optimize the rule walk (many tables, hashing,
> etc), and anything that reduces the number of rules (like IPSet) is a major
> performance bonus.
>

Are you referring to 2.4 or 2.6 kernel?
If it is 2.6, I suggest you to contact the netfilter mailing list [1], and show them your firewall rules,
with speed measurements on real workload. I'm sure they will try to optimize the kernel, if it turns out to be a bottleneck in the kernel.

[1] http://vger.kernel.org/vger-lists.html#netfilter

Best regards,
--Edwin

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org