hello is there a way to speed up shorewall loading by e.g. not displaying the blacklist when it loads ? thank you by the way what linux distribution work best [no iptables problems and other stuff like with mandrake ] with last shorewall to make a brouter ??
ANGELESCU Florin wrote:> hello > is there a way to speed up shorewall loading > by e.g. not displaying the blacklist when it loads ? >This is FAQ 34. a) Use a lightweight shell like ash or dash (see SHOREWALL_SHELL in shorewall.conf). b) Use the -q option to [re]start. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wed, 28 Jul 2004 08:21:04 -0700, Tom Eastep <teastep@shorewall.net> wrote:> ANGELESCU Florin wrote: >> hello >> is there a way to speed up shorewall loading >> by e.g. not displaying the blacklist when it loads ? >> > > This is FAQ 34. > > a) Use a lightweight shell like ash or dash (see SHOREWALL_SHELL in > shorewall.conf). > > b) Use the -q option to [re]start. > > -Tomwell my problem come from my big big blacklist does it change something with ash ? i will try thanks for your answer
ANGELESCU Florin wrote:> On Wed, 28 Jul 2004 08:21:04 -0700, Tom Eastep <teastep@shorewall.net> > wrote: > >> ANGELESCU Florin wrote: >> >>> hello >>> is there a way to speed up shorewall loading >>> by e.g. not displaying the blacklist when it loads ? >>> >> >> This is FAQ 34. >> >> a) Use a lightweight shell like ash or dash (see SHOREWALL_SHELL in >> shorewall.conf). >> >> b) Use the -q option to [re]start. >> >> -Tom > > > well my problem come from my big big blacklist > does it change something with ash ? > i will tryEVERYTHING GOES FASTER WITH ASH!!! (including loading the blacklist) And if that still isn''t fast enough for you: a) Don''t use such a large blacklist; or b) Search the archives for where I described how to load the blacklist after Shorewall has been started. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
ANGELESCU Florin wrote:> On Wed, 28 Jul 2004 08:50:23 -0700, Tom Eastep <teastep@shorewall.net> > wrote: > >> Tom Eastep <teastep@shorewall.net> > > EVERYTHING GOES FASTER WITH ASH!!! (including loading the blacklist) > > And if that still isn''t fast enough for you: > > a) Don''t use such a large blacklist; or > b) Search the archives for where I described how to load the blacklist > after Shorewall has been started. > > > ------------ > thank you very much > > it isnt fast enough even with ash [ it runs on a 750MHZ , 256 ram ] > i tried by removing the display in the firewall script in > /usr/share/shorewall > but it doesnt change anything > it take ages and i dont understand why , is it because of iptables ? > >Please read the archives about this issue -- it has been discussed to death.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
ANGELESCU Florin wrote:>>> thank you very much >>> it isnt fast enough even with ash [ it runs on a 750MHZ , 256 ram ] >>> i tried by removing the display in the firewall script in >>> /usr/share/shorewall >>> but it doesnt change anything >>> it take ages and i dont understand why , is it because of iptables ? >>> >> >> Please read the archives about this issue -- it has been discussed to >> death.... >> > ok, sorry to anoy you > i used the search feature on http://lists.shorewall.net/ > but didnt see anything , my bad, i will try with google ;) > >I have a few minutes so I''ll try to recap. a) The bulk of the time spent during ''shorewall [re]start'' is in iptables if you are using a lightweight shell such as ''ash''. b) Adding rules to a long chain in iptables is expensive. IIRC, there was a fix created for that at some point which make such additions faster. c) In my opinion, having a huge blacklist is not useful. By the time you get an address blacklisted, the damage if any is done and repeat offenders are rare. d) A large blacklist takes forever to load and can impact firewall performance dramatically (BLACKLISTNEWONLY=Yes can help). e) You can load your blacklist after ''shorewall [re]start'' completes by: 1. Placing an empty blacklist file in /etc/shorewall 2. Placing your real blacklist file in /etc/blacklist/blacklist 3. In /etc/shorewall/start, place: CONFIG_PATH=/etc/blacklist:$CONFIG_PATH blacklist_refresh -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net