> Richard B. Johnson wrote:
> >
> > On Fri, 31 Oct 1997, Matthew Kirkwood wrote:
> > [SNIPPED]
> > >
> > > Having heard various (and unconvincing) horror stories about the effect
> > > that having many firewalling rules can have on network latency, I thought
> > > up this foolish plan: firewall modules
[SNIPPED]
> >
> > I have not looked at the firewall code. However, I think that firewall
> > rules just create and/or modify entries within a hash-table or two. If so,
> > you are just adding/modifying entries to an existing table when using
> > the cumbersome utility. The code should already be somewhat optimized so
> > your net-gain from a lot of work might be near zero.
[SNIPPED]
> I don't think many people are hitting performance problems on firewall
> rules, but there was a discussion a while back where I showed that it
> could be done to translate a firewall config file into a C program.
>
[SNIPPED]
>
> Aren't your firewall rules wrong if you cannot lump many of them
> together?
>
> Roger.
Probably. What I have done is when I find another Micro$garbage program
sneeking its crap into my PPP Link, I identify it with tcpdump and then
add another entry to the firewall rules. Basically, because Netbouis
is NETBIOS within BROACDAST packets, I have to filter them "per machine".
Then there are the "SNMP" programs that come with 'NT' that make a
pretty screen showing all the nodes on a network. This runs by arp-ing
every possible machine and recording those that respond. It also requests
a reverse-lookup on my DNS once a responding IP Address is found. This
junk has to be filtered or I get 254 arp requests every second on my
PPP Link. You don't notice this stuff on Ethernet, but once you try
to extend your LAN to a subnet connected by dialup PPP, you get to
hate all the junk.
Cheers,
Dick Johnson
Richard B. Johnson
Project Engineer
Analogic Corporation
Penguin : Linux version 2.1.60 on an i586 machine (66.15 BogoMips).
Warning : It's hard to remain at the trailing edge of technology.