Hi, I was thinking about optimizing my rules file. AFAIK the most often used connections shoud be at the top (first match) and the least used connections should be at the buttom. Soon we will have some mor lans behind our shorewall, so some optimization would be good to controll the traffic. Is there a way to see, which connections are used most, so I can change the order of the rules? (Or am I completly wrong whith my thought...?) Thanks for any hints and tips Regards Götz Reincike -- Götz Reinicke IT Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-Württemberg GmbH Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: Dr. Christoph Palmer, MdL, Minister a.D. Geschäftsführer: Prof. Thomas Schadt ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thu, Jul 12, 2007 at 11:59:46AM +0200, G?tz Reinicke wrote:> I was thinking about optimizing my rules file. AFAIK the most often used > connections shoud be at the top (first match) and the least used > connections should be at the buttom. > > Soon we will have some mor lans behind our shorewall, so some > optimization would be good to controll the traffic. > > Is there a way to see, which connections are used most, so I can change > the order of the rules? (Or am I completly wrong whith my thought...?)Unless you have hundreds of rules, the penalty for being at the bottom of the list will be small compared to the penalty for using iptables at all. This is unlikely to make an appreciable difference. If performance matters to you enough to want even that small gain, buy a true hardware firewall (from cisco or whoever). They''re much faster. Almost nobody needs them. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Andrew Suffield wrote:> On Thu, Jul 12, 2007 at 11:59:46AM +0200, G?tz Reinicke wrote: >> I was thinking about optimizing my rules file. AFAIK the most often used >> connections shoud be at the top (first match) and the least used >> connections should be at the buttom. >> >> Soon we will have some mor lans behind our shorewall, so some >> optimization would be good to controll the traffic. >> >> Is there a way to see, which connections are used most, so I can change >> the order of the rules? (Or am I completly wrong whith my thought...?) > > Unless you have hundreds of rules, the penalty for being at the bottom > of the list will be small compared to the penalty for using iptables > at all. This is unlikely to make an appreciable difference.Indeed. The penalty for using iptables is paid on every packet while the penalty for Shorewall rules only occurs on the first packet of session establishment (exceptions being accounting rules and tcrules). If you want to see which rules are used the most, you can use the "shorewall show" command. For example, if you want to see the rules governing connections from the net zone to the dmz zone, type: shorewall show net2dmz The first column of the display is the packet count. You can re-order the rules in decreasing order of the count but as Andrew says, the result is not likely to be noticeable. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/