Shorewall users - Mar 2004 - Having too many zones in zones file?

Greetings everyone:
 
In our organization, for our shorewall configuration, we have defined
numerous zones, such that each zone contains a different subnet.   
We have not however, used the concept of parent zone and sub-zones.
That is why, may be, we are having difficulty starting shorewall.  
We are assuming that the delay in starting shorewall could be due to huge
numbers of chains being created 
for the traffic policies between the different zones.
 
Can someone suggest a solution to the above situation?
 
Thanks a lot,
 
Kavita Chhabria
Systems Developer
Apogent Technologies
(269) 544-7515
 <mailto:kchhabria@apogent.com> kchhabria@apogent.com

Chhabria, Kavita - Apogent wrote:
> Greetings everyone:
>  
> In our organization, for our shorewall configuration, we have defined
> numerous zones, such that each zone contains a different subnet.   
> We have not however, used the concept of parent zone and sub-zones.
> That is why, may be, we are having difficulty starting shorewall.  
> We are assuming that the delay in starting shorewall could be due to huge
> numbers of chains being created 
> for the traffic policies between the different zones.
The time required for certain phases of "shorewall start" is O(n * n) 
where n = number of unique host groups. A host group is a 
zone:interface:network tuple.
>  
> Can someone suggest a solution to the above situation?
>  
If using a light-weight shell such as ''ash'' or
''dash'' doesn''t make the
start time acceptable (see FAQ 34), you will have to simplify your 
configuration.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net