From: Arnd-Hendrik Mathias <arnd-hendrik.mathias@nefkom.net>
To: netfilter@lists.netfilter.org
Subject: Rule Optimization for iptables
Date: Sat, 17 Mar 2007 18:10:19 +0100 [thread overview]
Message-ID: <45FC20FB.9060406@nefkom.net> (raw)
Hi everyone,
can anybody tell me, if there is a possibility to make iptables optimize
its rulesets automatically? The situation is as follows: I use my
"workstation" (Celeron 233MHz/128MB RAM) as gateway for two local
networks to WAN. I keep my rulesets for different protocols and
different scenarios well sorted in separate sections of multiple files.
This looks like:
# Forward outgoing tcp-ftp connections from lan0 to wan
...ruleset...
# Forward outgoing tcp-ftp connections from lan1 to wan
...ruleset...
....a.s.o.
As a following of this I have some rules somewhat redundant and others
could be combined to one with the similar effect.
I could easily reduce the number of rules to be checked (hoping to
reduce the processing time/RAM usage of iptables) manually by combining
many rules but this would make my rulesets less maintainable. Currently
it's quite easy to spontaneously block for example outgoing https
sessions from lan1 by simply commenting out the corresponding few rules
without side effects to other protocols. So a means to optimize the
ruleset already loaded could be quite helpful for easy administration.
Has anyone heard of such stuff?
Best regards
Arnd-Hendrik
reply other threads:[~2007-03-17 17:10 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45FC20FB.9060406@nefkom.net \
--to=arnd-hendrik.mathias@nefkom.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox