Tiem and time again.... I forgot to mail netfilter. I always remember to do it half a second after I press "send". :-( ---------- Forwarded message ---------- From: Edmundo Carmona <eantoranz@xxxxxxxxx> Date: Sep 14, 2005 9:41 AM Subject: Re: Maximum number of rules in iptables? To: /dev/rob0 <rob0@xxxxxxxxx> Well... I guess they happen to be so many rules in those scripts because they <b>could</b> come out (programatically speaking) more easily that way.... I'm not saying it's because of that (haven't sat down to think about a firewall script generator tool)... but it could play a part. On 9/14/05, /dev/rob0 <rob0@xxxxxxxxx> wrote: > > On 9/13/05, Peggy Kam <ppkam@xxxxxxxxx> wrote: > > > What is the maximum number of policies I can define in the > > > iptables? ie. how much memory is allocated for iptables? > > I'm sure the answer is in the kernel source code if you need it. This > forum is more for users than developers. You could try asking on LKML > or on netfilter-devel, but I don't think you would be well-received > there unless you showed an effort to find your own answers. > > Opinion as a user: it's probably dynamically allocated; more memory is > used in cases where there are more rules, or where the rules require. > > Remembered from Googling: it's not ever likely to be a factor. > > Personal experience: an 8MB 80386 is quite capable of handling NAT for > home and small business broadband connections. I increased the default > number of connection tracking table (ip_conntrack_max) entries, but > otherwise had no problem. > > On Tuesday 2005-September-13 22:41, Edmundo Carmona wrote: > > that's a NFI for me. A whole bunch.... I've seen red hat scripts that > > are way longer than mine. ;-) > > I think it's safe to say that if you're making that many rules, you're > doing something wrong. :) I said the same thing in this thread to this > poster over a month ago. > > Red Hat iptables rules (that I have seen) are terrible. Do they have > anyone on staff who understands firewalling? If so, they're not working > on the firewalls. > -- > mail to this address is discarded unless "/dev/rob0" > or "not-spam" is in Subject: header > >
