How can I solve this problem. Is it due to my heavy configuration ?
I am afraid it will be worse if I install DMZ servers (http, ftp, postfix,
dns)
Have you got any suggestion ?
Thanks a lot.
Here is my (heavy) configuration
This is not what I would call a heavy load Stephane. Your rig should handle
this without a blink. My netfilter/iptables firewall is also directly
connected to the internet via dsl (albeit with a static IP), with five
subnets behind it, including a DMZ with a mail relay, DNS server, web
server, squid proxy, etc, etc, blah, blah. My rule set stands at
approximately 2000 and my machine does not blink. So I suggest the slow down
might be something else. Suggestions and questions:
1. Run your firewall (temporarily of course) with no rules loaded and all
your default policies set to default so you can make some rate comparisons:
set_default_policy()
{
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
}
2. Your FTP rules need a little tuning. I can see these giving you some
problems with your ftp communication. Are you using ip_conntrack_ftp?
3. I notice you seem to favor source port 1024 on you output rules. I find
this a little hard to understand. Is there a reason for this?
