Shorewall users - Mar 2003 - # of rules

I have Shorewall running on a Pentium 500 with 256 in RAM. This machine is
the firewall for several web servers and a mailgateway that handles a couple
thousand pieces of mail a day (net ->dmz->loc). I am trying to be
extremely
paranoid about connections from loc to dmz, and have around 150 rules for it
so far. This could probably go to 300 pretty easily. Is there a point when
you have to many rules and it will start affecting service? Thanks for your
time!

On Mon, 24 Mar 2003, Steve Postma wrote:
> I have Shorewall running on a Pentium 500 with 256 in RAM. This machine is
> the firewall for several web servers and a mailgateway that handles a
couple
> thousand pieces of mail a day (net ->dmz->loc). I am trying to be
extremely
> paranoid about connections from loc to dmz, and have around 150 rules for
it
> so far.
Interesting -- I would have thought that as the level of paranoia went up 
that the number of rules would come down!
> This could probably go to 300 pretty easily. Is there a point when
> you have to many rules and it will start affecting service? Thanks for your
> time!
> 
Sure -- every new connection request needs to run the gauntlet of the 
rules defined for that source and destination zone until a match is found. 
So it pays to look at these chains and order them based on the amount of 
traffic that you are seeing.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net