Mon, 4 Mar 2002 10:29:45 +0100
Our university network (134.60.*.*) currently uses a Checkpoint
firewall, but (due do some problems) we want to switch to a linux 2.4
Currently, we have an allow all, deny some policy, but our new (planned)
policy would be deny all, allow some with udp and incoming tcp, and deny
some on outgoing tcp.
As there is no real pattern regarding which IP addresses provide which
services (each local department admin is free to offer services - this
is a university), this could easily result in a few thousand rules.
As the firewall has to cope with about 600 MBit peak bandwidth,
scalability is an issue. A linear walk-through over those thousands of
rules would sure be much to slow.
I did some googling, and scanned through the FAQ and most of the Howtos
on netfilter.samba.org, but didn't find anything useful about
So now our question is: How scalable is the linux firewalling
architecture? Is there any internal optimization on the rules?
Do you have any pointers to documentation or benchmark results about
Thank you very much,
"Ihre Meinung ist mir zwar widerlich, aber ich werde mich dafuer
totschlagen lassen, dass sie sie sagen duerfen." - Voltaire