[unisog] IPTables as high banwidth firewall

Jordan Wiens numatrix at ufl.edu
Thu Aug 4 18:56:21 GMT 2005


I'd highly recommend looking into this for large rulesets.  While I 
haven't looked at hipac specifically, its opening paragraph sums up 
exactly the point I'd make about iptables:

"iptables, like most packet filters, uses a simple packet classification 
algorithm which traverses the rules in a chain linearly per packet until a 
matching rule is found (or not). Clearly, this approach lacks efficiency"

Depending on the type of rules you'll be establishing, you'll want a more 
optimized packet filter.  If, for example, you have an exceedingly long 
list of random IPs you'd like to filter in some way, you can cheat 
somewhat by creating 256 chains for the first octet (for example) and 
branching to the right ruleset based on a netmask comparison, to speed up 
IPtables' linear search, but it is by no means optimal.

Of course again, that's all dependant on the type of rules you're planning 
on implementing.

-- 
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061
-------------- next part --------------
On Wed, Aug 03, 2005 at 03:00:45PM -0700, Johan van Reijendam wrote:
<snip>
> 4. What about
> 
> - Large rule sets
You might want to look into nf-hipac (http://www.hipac.org/).
The last time I did any testing on this, default iptables performance
with many rules (I believe anything above the 1000 magnitude) was
abysmal. With those patches, performance was marginally above openbsd/pf
on the same hardware (near 1gb/linespeed, iirc)

I think this is going to be an issue given that some of the shortcuts 
(tables, etc) available via pf on the *bsds isn't available on linux, so
it might be _more_ likely you'd need larger rulesets.

hth.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20050804/dd840b47/attachment.bin
-------------- next part --------------
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog


More information about the unisog mailing list