From: Edmundo Carmona <eantoranz@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Fwd: Maximum number of rules in iptables?
Date: Wed, 14 Sep 2005 09:42:21 -0400 [thread overview]
Message-ID: <65aa6af90509140642601d0640@mail.gmail.com> (raw)
In-Reply-To: <65aa6af905091406415094a9ff@mail.gmail.com>
Tiem and time again.... I forgot to mail netfilter. I always remember
to do it half a second after I press "send". :-(
---------- Forwarded message ----------
From: Edmundo Carmona <eantoranz@gmail.com>
Date: Sep 14, 2005 9:41 AM
Subject: Re: Maximum number of rules in iptables?
To: /dev/rob0 <rob0@gmx.co.uk>
Well... I guess they happen to be so many rules in those scripts
because they <b>could</b> come out (programatically speaking) more
easily that way.... I'm not saying it's because of that (haven't sat
down to think about a firewall script generator tool)... but it could
play a part.
On 9/14/05, /dev/rob0 <rob0@gmx.co.uk> wrote:
> > On 9/13/05, Peggy Kam <ppkam@n-dsi.com> wrote:
> > > What is the maximum number of policies I can define in the
> > > iptables? ie. how much memory is allocated for iptables?
>
> I'm sure the answer is in the kernel source code if you need it. This
> forum is more for users than developers. You could try asking on LKML
> or on netfilter-devel, but I don't think you would be well-received
> there unless you showed an effort to find your own answers.
>
> Opinion as a user: it's probably dynamically allocated; more memory is
> used in cases where there are more rules, or where the rules require.
>
> Remembered from Googling: it's not ever likely to be a factor.
>
> Personal experience: an 8MB 80386 is quite capable of handling NAT for
> home and small business broadband connections. I increased the default
> number of connection tracking table (ip_conntrack_max) entries, but
> otherwise had no problem.
>
> On Tuesday 2005-September-13 22:41, Edmundo Carmona wrote:
> > that's a NFI for me. A whole bunch.... I've seen red hat scripts that
> > are way longer than mine. ;-)
>
> I think it's safe to say that if you're making that many rules, you're
> doing something wrong. :) I said the same thing in this thread to this
> poster over a month ago.
>
> Red Hat iptables rules (that I have seen) are terrible. Do they have
> anyone on staff who understands firewalling? If so, they're not working
> on the firewalls.
> --
> mail to this address is discarded unless "/dev/rob0"
> or "not-spam" is in Subject: header
>
>
next prev parent reply other threads:[~2005-09-14 13:42 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-04 19:36 multiports Peggy Kam
2005-08-05 6:34 ` multiports Jan Engelhardt
2005-08-10 20:13 ` Maximum number of ports? Peggy Kam
2005-08-11 16:54 ` /dev/rob0
2005-09-13 22:10 ` Maximum number of rules in iptables? Peggy Kam
2005-09-14 3:41 ` Edmundo Carmona
2005-09-14 4:44 ` /dev/rob0
[not found] ` <65aa6af905091406415094a9ff@mail.gmail.com>
2005-09-14 13:42 ` Edmundo Carmona [this message]
2005-09-15 15:22 ` iptables rules Peggy Kam
2005-09-15 15:26 ` Jörg Harmuth
2005-09-15 15:37 ` Peggy Kam
2005-09-15 16:23 ` Jörg Harmuth
2005-10-21 13:46 ` Realos
2005-10-21 16:03 ` Rob Sterenborg
2005-10-21 16:19 ` Jörg Harmuth
2005-09-15 15:33 ` Jörg Harmuth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=65aa6af90509140642601d0640@mail.gmail.com \
--to=eantoranz@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.