----- Original Message ---- > From: Richard Horton <arimus.uk@xxxxxxxxxxxxxx> > To: John Little <jlittle_97@xxxxxxxxx> > Cc: netfilter@xxxxxxxxxxxxxxx > Sent: Thursday, October 1, 2009 7:54:06 AM > Subject: Re: Using iptables with high volume mail > > 2009/10/1 John Little : > > > What modules, tables and rules to use to optimize iptables for this type > volume? All of the mail is sent on the standard port 25. We need to optimize > for quick deliverability. (I've read the man page and looked at TOS with the > mangle table. I read somewhere that this only for udp.) > > Setting the DSCP / ToS field via mangle will work with IP traffic > regardless of payload type (UDP/TCP/IPSEC Tunnelled/etc). However, > there is only any point in applying it for 'quick' delivery if the > upstream routers are configured to apply a diffserv policy on a per > hop basis. > > Apart from that 'quick delivery' isn't really something diffserv can > give you: EF traffic (Expedited forwarding) is intended for real-time > jitter sensitive traffic where loss is less of an issue than excessive > inter-packet delay. For reliable delivery use an AFxx class. However I > don't believe applying diffserv / tos in your case will achieve the > end results you are looking for unless you have control over all the > hops along the mail path, or SLA's in place with the network > provider(s) -- and usually once you exceed your purchased amount of > traffic within a class its either remarked or dropped - and strictly > under diffserv should be dropped as you should not remark outside of a > class. > > -- > Richard Horton > Users are like a virus: Each causing a thousand tiny crises until the > host finally dies. > http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats > http://www.pbase.com/arimus - My online photogallery Hi Richard Good point. We don't control the hops on the mail path. We also strictly observe the traffic rules that we have agreed to with the upstream providers. As I think about my question and your answers the next part would be that we want to "streamline" our iptables rules so that they are working efficiently and not consuming any more resources than are necessary. To that end I would think that I would probably need to have some rules written and post them here for review. Resource consumption has been a major issue with the commercial devices we have tried. This has led to the question of building the machines with iptables that are tuned specifically for our environment. I realize that other kernel tuning parameters need to be factored in as well. I'm just want to make sure we have all of our bases covered. Thanks, John -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html