On Friday 2012-08-24 23:12, Arturo Borrero wrote: > >DNS lookups are a problem in a big ruleset (~10.000) rules, so the point is >to do some kind of local cache. So run a local BIND server, lwresd, dnsmasq, nscd, or whatever. >As I supposed, the doble stack method is not being well aproached yet. What isn't? >The code (bash) is here: >https://github.com/aborrero/fw-admin sh is amongst the *slowest* of all. Your README.md says >You usally set your ruleset in this way: > >$IPT -A INPUT -i $IF -s $INTERNET -d $MYSERVER -p tcp --sport 1024: --dport >$SSH_PORT -j ACCEPT If you begin with something like this, no wonder it's all going slow, because you are needlessy reloading all the damn rules. That's why smart people use iptables-restore. Also, the --sport 1024: is pretty dull, because there is no RFC that forbids the use of numbers lower than that. >Also, fw-admin is just a complex bash script Its greatest problem, btw. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
