--=.H7e75e4cf:qzAq Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Hi, [First, sorry for accidentally posting the Subscription confirmation to the list, I just blindly and stupidly followed the Instructions and pressed "Reply"- I should have pressed "Reply to sender", as the list management message contains headers that point to the list (strange).] My actual Question is whether shorewall is either able to use bitmap-based ippools (currently in patch-o-matic for iptables) or easily extendible to use those. I didn''t find something in the documentation as far as I read through. The problem is that our Institution (University of Ulm) has several thousand machines spread over a Class B net, and we have 600 MBit/sec Traffic in the "prime time", so we have to use ippools or similar mechanisms as having packets traverse thousands of rules just to match IP addresses is too expensive. Currently, we work with Checkpoint, but we want to switch to IPtables, and now we search for a nice firewall package that makes use of ippools. Thanks, Markus -- Markus Schaber - http://www.schabi.de/ Schabi''s Flohmarkt unter http://schabi.de/flohmarkt --=.H7e75e4cf:qzAq Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9t7pX6IhVmcufrl4RAtQXAJ42vvWwewNHkbWrmg2mwot8ZlX9MwCdEVkD iy3tnT5iw2MvXhDDVnEQeFg=xqp3 -----END PGP SIGNATURE----- --=.H7e75e4cf:qzAq--
Hello Markus, Markus Schaber wrote:> > My actual Question is whether shorewall is either able to use > bitmap-based ippools (currently in patch-o-matic for iptables) or easily > extendible to use those. I didn''t find something in the documentation as > far as I read through.Shorewall NEVER supports facilities that are only in Patch-o-matic. If they happen to work then fine but I don''t add Shorewall support for any Netfilter feature that isn''t in the kernel.org kernels.> > The problem is that our Institution (University of Ulm) has several > thousand machines spread over a Class B net, and we have 600 MBit/sec > Traffic in the "prime time", so we have to use ippools or similar > mechanisms as having packets traverse thousands of rules just to match > IP addresses is too expensive. >I understand. At such time as ippools make it into the standard kernels, I''ll consider adding support for them. Until then, I just don''t have the cycles to experiment with every new feature in P-O-M because most of them never make it any further and I spend enough time with support without having to try to guide newbies through the use of P-O-M. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Hello, Tom, On Thu, 24 Oct 2002 07:09:43 -0700 Tom Eastep <teastep@shorewall.net> wrote:> Shorewall NEVER supports facilities that are only in Patch-o-matic. If > they happen to work then fine but I don''t add Shorewall support for > any Netfilter feature that isn''t in the kernel.org kernels.That''s a very reasonable point. Thanks for your quick and informative answer. Markus