Hello I have a iptables based firewall, with 5 gigabit ethernet adapters and almost 8000 rules (ouch!). This is a "test bed", (still) not a production enviroment I can see delays in traffic when crosses the firewall (miliseconds). I want to optimize the firewall rules (we use a LOT of VoIP) , so this is my question: Is there any way to know when a packet matches a rule? -j LOG is not feasible (thousands of packets per second). I want something like this: Last two hours: Rule 1: 15000 hits, 150 megabytes Rule 2: 3500 hits, 34 megabytes Rule 3: 9675 hits, 2 megabytes ad infinitum... Other question? How can I test iptables rules? In ipchains I could try them, but with iptables do I have to generate fake traffic? Thank you for your support.
