[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: Rule Set Size vs Performance Follow-up
From:       Feizhou <feizhou () linuxmail ! org>
Date:       2004-07-29 16:46:31
Message-ID: 410929E7.5040708 () linuxmail ! org
[Download RAW message or body]

David Cary Hart wrote:
> The issue was a large number of dpt 80 rules that are added by a script
> from Snort exploits.
> 
> The suggested solution was to move these to a new chain so that only
> packets destined for httpd would have to traverse several hundred
> (hopefully temporary) rules.
> 
> Not only does this make logical sense but I notice a definite
> improvement in DNS (which is the most apparent performance issue).

You'd probably also want to make sure you don't use any connection 
tracking rules and therefore not load the conntrack module. In my case, 
dns queries took seconds (as opposed to milliseconds) to get an answer 
back from the dnscache.

[prev in list] [next in list] [prev in thread] [next in thread]