El lun, 30 de 08 de 2004 a las 22:37, George Alexandru Dragoi escribiÃ: > Well, i don't know if you want to log EVERYTHING. > Remember ip_conntrackworkson streams, so you can log only NEW packets. > I have like 90 rules with -m mac like those i said before + several > port forwarding, on a P2 450Mhz, 100mbit internet connections, used a > lot, almoust all the time at 11MB/s at upload (exactly where those > rules aremostly hitted), and top says the sys load is arround 40% at > most when i have full bandwith in use, but i think it is not because > of the netfilter, but the PCI usage. Traffic at 50% usually needs much > less CPU, like 5-10%. I also have many other rules for SYN scan > limiting, bandwith counting, and so on. > Obviously our system it's useful for a not huge set of rules, we use it for a per service basis, not per IP or MAC. We have been using it with a big number of rules (services) and it works like a charm, without slowing the system, but if you have a lot of MACs our system can be surely a bad idea. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@xxxxxxxxx bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÃA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
