(no subject)

[Michael H. Warfield]

On Sat, Jul 07, 2001 at 02:19:28AM +0100, Andrew Meredith wrote:

	[...]

> 64K ISDN

> > 	In other words, the capacity of your firewall to deal with your
> > filtering load depends more on the type of connection than it does
> > on netfilter vs ipchains.

> Sorry, I was meaning iptables but with a much heavier use of the
> connection tracking. The old way just allowed packets of the right
> address, port and interface without much reference to their state.

	In that case, the problem is not going to be the connection
tracking but possibly your logs (as it was with ipchains - just more
logging means more problems).  When syslog starts piling up multi
megabytes, it gets a bit slow.  You might want to fine tune your log
rotate to rotate on a daily basis if your logs are growing too large.

	Depending on your address space, this can get to be real serious.
I monitor a "darknet" (large address space with no allocations) of
over a /17 in size (yes, more than 32,000 addresses).  That builds up
some mind boggling logs in rediculously little time.  You would think
that the script kiddies had better things to do than scan the planet
but, apparently not.  Just monitoring a /19 (8,000 addresses) for DNS
worms resulted in over 30,000 DNS bind version probes from 3,000 unique
IP addresses in less than 3 weeks time.  My tcpdump logs of the /17
darknet was about 1/3 Meg in a couple weeks time.

	Of course, if you don't have half a class B in your back pocket,
you probably won't see quite soooo much traffic.  :-)  But watch your
logs.  They can quickly become your bottleneck.

> Andy M

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!