On Sat, 2004-01-10 at 00:10, Patrick McHardy wrote: > Vincent Jaussaud wrote: > > Hi; Hi, and thanks for you reply. > > > That might help, although without stateful filtering the rules > have to be evaluated for each single packet. Okay, we'll give it a try. > > > > 2) Replace iptables by nf-hipac for packet filtering. Have you guys any > > experience with nf-hipac ? (http://www.hipac.org/) > > nf-hipac is very good with a large number of rules, for just http > filtering I suspect iptables will do equally good or better. To be tested then, ok I'll try to see if we could build a test network and try to simulate such traffic. > > > > > I would be really thanksfull to hear of any solutions / workarounds / > > optimization to keep our linux firewalls handling growing traffic :-) > > Try without conntrack if you don't need it, otherwise start with > increasing the hash table size and limit ip_conntrack_max to 2 times > the hash size. There was a thread about optimizing iptables on > netfilter-devel 1-2 month ago, it was started by Hervé Eychenne, > search the archives. Thanks, I found the post. Indeed, there is a lot of helpful informations within. I'll investigate these post deeper. Thanks ! Regards, Vincent. > > Best regards, > Patrick > > > > > Thanks ! > > Vincent. > > > > --- > > > > Vincent Jaussaud > > Kelkoo.com Security Manager > > email: tatooin@xxxxxxxxxx > > > > "Those who desire to give up freedom in order to gain security will not > > have, nor do they deserve, either one." > > -- President Thomas Jefferson. 1743-1826 > > > > > > _______________________________________________ > > LARTC mailing list / LARTC@xxxxxxxxxxxxxxx > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Vincent Jaussaud Kelkoo.com Security Manager email: tatooin@xxxxxxxxxx "Those who desire to give up freedom in order to gain security will not have, nor do they deserve, either one." -- President Thomas Jefferson. 1743-1826 _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
