Tom Eastep
2003-Oct-11 08:47 UTC
[Shorewall-users] Re: Performance problems with bigblacklist
On Sat, 2003-10-11 at 08:45, nomail@yahoo.com wrote: This is the last time I will put up with your forged from address. I found your post in my Spam folder and any further posts with a forged yahoo.com from address will stay in that folder!> it seems shorewall does not opitmize > the iptables rules for bigblacklist > and it slow down my lan > how to make it first check if it as packet from > an already established connexion so it does not check the whole > blacklist for every packet ? >Blacklisting is designed to be able to stop established connections. If you don''t like that behavior, you will have to use a large set of Rules. Rules are only evaluated for new connections. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Oct-11 09:08 UTC
[Shorewall-users] Re: Performance problems with bigblacklist
On Sat, 2003-10-11 at 08:47, Tom Eastep wrote:> Blacklisting is designed to be able to stop established connections. If > you don''t like that behavior, you will have to use a large set of Rules. > Rules are only evaluated for new connections.The version of the ''firewall'' script in CVS (/Shorewall) supports a BLACKLISTNEWONLY option in shorewall.conf. If this variable is set to "Yes" then only new connection requests will be checked against the blacklists. The shorewall.conf in CVS has this variable set to "Yes" by default. The ''firewall'' script must be installed in /usr/share/shorewall/firewall and may be used only if you are running Shorewall version 1.4.7. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net