Hi there, On Wed, 19 Dec 2007, Jimmy Stewpot wrote: > I am currently using iptables on Linux kernel version 2.6.15 (Ubuntu > Dapper). I have recently been having problems with my servers load going > through the roof as remote hosts do nmap scans against the server. My > current iptables configuration is as follows > [snip] > It seems from my performance diagnostics its the logging which is > causing the system to buckle rather than the packet rate or anything > like that. Since I first noticed the system being hammered I put the -m > limit --limit 10/min on the LOG rule but it appears to either not work > or I have put it in the wrong place. Can anyone give me some advice > regarding performance and logging. Most of the time I see no point in logging dropped packets with iptables. In my systems iptables drops packets as soon as possible. What little logging is done is done by p0f, directly to a file. That process can be killed at any time, with no adverse effect on system operation. Syslog-ng feeds data to one of several scripts, which in turn log to a database, if (and only if) a packet is accepted. There are different scripts for mail, http, whatever. Compared with the other things that the boxes are doing, the load is negligible. -- 73, Ged. - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
