> -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Marc Green > Sent: Wednesday, November 09, 2005 3:03 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Performance problems on my firewall using iptables > (SuSEfirewall2) > > Find herewith the result of the "iptables-save" command. > > Some notes : > For Derick : > ==> Yes I'm running a graphical interface. But nobody logs on > this system except me sometimes to do administration. > ==> In the first mail that is right there was no files > attached with it. > I prefered not to sent them (after typing it but forgot to erase the > text) no to overload the list with info that might not be necessary. > ==> 2 internal networks on the same interface: on one of the > networks I have the children computers. With crontab I just > bring one network down at a specific time to shutdown > Internet access for the kids but not for me. > > Many thanks for your concern(s). Sorry for a very late reply. Your ruleset is not obscenely large, however it does seem to be more complicated than necessary for a home firewall. There are well over 200 rules here and from skimming them I would have to say that some unnecessary, particularly with a default DROP policy on INPUT and FORWARD. Generally it's only necessary to drop subnets you don't like before accepting ports and bad TCP packets (invalid state, NEW without --syn, and so on). Having only used a Linux GUI under extreme duress, I don't know how much the difference in memory usage is logged-in vs. logged off, however I would conjecture that a GUI adds a considerable footprint to your memory space. 94MB of RAM (96 - 2 for video?) is not very much, I run a much simpler firewall with 128MB (Debian, no GUI, very spartan) and that is cutting it close for me. Also, my firewall is 2.0Ghz, not 200Mhz. It may simply be that your computer is too slow - I wouldn't run a firewall on anything less than a PIII/equivalent with 128MB of RAM, no matter what size. You should also know (if you don't already) that iptables processes rules linearly, so each one you add makes a difference. Derick Anderson
