* Rule Set Size vs Performance Follow-up
@ 2004-07-29 15:08 David Cary Hart
2004-07-29 16:46 ` Feizhou
0 siblings, 1 reply; 2+ messages in thread
From: David Cary Hart @ 2004-07-29 15:08 UTC (permalink / raw)
To: netfilter
The issue was a large number of dpt 80 rules that are added by a script
from Snort exploits.
The suggested solution was to move these to a new chain so that only
packets destined for httpd would have to traverse several hundred
(hopefully temporary) rules.
Not only does this make logical sense but I notice a definite
improvement in DNS (which is the most apparent performance issue).
Thanks.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Rule Set Size vs Performance Follow-up
2004-07-29 15:08 Rule Set Size vs Performance Follow-up David Cary Hart
@ 2004-07-29 16:46 ` Feizhou
0 siblings, 0 replies; 2+ messages in thread
From: Feizhou @ 2004-07-29 16:46 UTC (permalink / raw)
To: NetFilter List
David Cary Hart wrote:
> The issue was a large number of dpt 80 rules that are added by a script
> from Snort exploits.
>
> The suggested solution was to move these to a new chain so that only
> packets destined for httpd would have to traverse several hundred
> (hopefully temporary) rules.
>
> Not only does this make logical sense but I notice a definite
> improvement in DNS (which is the most apparent performance issue).
You'd probably also want to make sure you don't use any connection
tracking rules and therefore not load the conntrack module. In my case,
dns queries took seconds (as opposed to milliseconds) to get an answer
back from the dnscache.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-07-29 16:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-07-29 15:08 Rule Set Size vs Performance Follow-up David Cary Hart
2004-07-29 16:46 ` Feizhou
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox