Quickest ipchains rules structure

Quickest ipchains rules structure

Post by D.S. Hodgs » Sat, 29 Apr 2000 04:00:00



Can anyone tell me whether it is quicker / more efficient to have a
single large ipchains rule set, or to break the rules into
heirarchical chains?

Is this facility there for efficiency for or structure?

Thanks
David

 
 
 

Quickest ipchains rules structure

Post by Rob » Sat, 29 Apr 2000 04:00:00


I would say efficiency. In many applications, ipchains is set up with one
(or more) rule sets intended to categorize or triage packets, which lead to
other rule sets that decide the packet's fate in greater detail. This allows
each packet to traverse a substantially shorter list of rules, thus allowing
the firewall to process each packet faster.

For example, since my firewall is also a dhcp server for the internal
network, there are a lot of reasons it could be receiving a broadcast
packet. Some of these I want to process, others I want to drop, and other I
want to log. By having two or three "categorizing" rules to identify
broadcast packets, I can afford to have twenty or thirty rules to sort out
the different types of broadcast packets in excruciating detail without
unnecessarily delaying more important data packets.


>Can anyone tell me whether it is quicker / more efficient to have a
>single large ipchains rule set, or to break the rules into
>heirarchical chains?

>Is this facility there for efficiency for or structure?

>Thanks
>David


 
 
 

Quickest ipchains rules structure

Post by Eric Co » Thu, 11 May 2000 04:00:00


As any programmer will tell you Binary Trees are always much,
much faster than searching linear lists.

Eric


> Can anyone tell me whether it is quicker / more efficient to have a
> single large ipchains rule set, or to break the rules into
> heirarchical chains?

> Is this facility there for efficiency for or structure?

> Thanks
> David

 
 
 

Quickest ipchains rules structure

Post by bill davids » Thu, 11 May 2000 04:00:00



| As any programmer will tell you Binary Trees are always much,
| much faster than searching linear lists.

  Generally good practice, but since firewall rules are not equally
probable, if you get 99% of the hits on the first rule it isn't going to
buy you anything but the satisfaction of doing it well.

  On a dial-up, policy DROP, first rule to accept a non-SYN packet from
a system port to a local user port, I doubt that you would see any speed
gain from putting the ICMP checks in a chain. And unless you run DNS you
probably don't accept udp.

  So in the simple case the main benefit is in structure, I would say.
--

  "Doing interesting things with little computers since 1979"(tm)
The hardest test of maturity is knowing the difference between
resisting temptation and missing a once-in-a-lifetime opportunity.

 
 
 

1. Converting ipchains rules to iptables rules?

Is there any convenient script available to convert ipchains rules
to iptables rules?

I am migrating my lab server (that runs linux 2.2.19/ipchains) to a
new server that runs linux 2.4.7.  The old server has a list of
ipchains rules that have worked quite well, and I would like the
new server to have these rules as well.  I realize I can use the
2.4.7 ipchains module and the old rules, but I would rather convert
to iptables, even if the conversion will be initially painful.

Thanks!
Ashok

2. Installation on P2B-S w Matrox G100 AGP Solaris x86 7!

3. ANN: yruba -- rules as control structure for the shell

4. How are X apps killed on server exit?

5. Just deleted ALL RULES in IPCHAINS, How can I get them back?

6. cant mount cdrom and floppy?

7. Sample collections of ipchains rules?

8. KSH - Convert date to unix time stamp

9. ipchains rules for this config...

10. ipchains -L is sometime very long to list all rules

11. ipchains rule ???

12. Are these ipchains rules secure enough?

13. squid rules in ipchains