[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Performance penalty on IPCHAINS?
- Subject: Re: [cobalt-users] Performance penalty on IPCHAINS?
- From: Paul Warner <pwarner@xxxxxxxxxxxxxxxxxx>
- Date: Fri Oct 25 04:12:00 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
> > > Is there a significant performance penalty if one inserts
> > > many source DENYs? Where there is an IP that consistently is
> > > probing a machine, are there better ways to deny access? I
> > > have about 25 or so 'regulars' that I have added to the DENY
> > > lists but don't want to shoot myself in the foot either!
> > >
> >
> > If your host can deny them at the router, of course you'll never see it
> > at the server.
>
> Dan has suggested the best way of course if your host is willing.
>
> However I have blocked 200+ IP's with DENY and see no performance impact
on RAQ3's or RAQ4's.
>
> I personally use DENY without logging for each IP and leave the main
REJECT to log all others. Although REJECT did prevent access
> from these 200+ IP's, syslog went mad logging it all to the kernel log,
which definitely did have a performance issue.
>
That's my issue as well. I want to log access to some ports, but when a
specific IP which has no business on this box hits the NFS port 1000x an
hour for days, you begin to re-think (and check disk space). The latest one
is getting stopped, but is a persistent little turd:
Oct 24 18:21:19 aegis kernel: Packet log: input DENY eth0 PROTO=17
0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=24581 F=0x4000 T=64 (#17)
I have spoken to my ISP about tossing some packet types at their router
(obviously spoofed, etc) and they are unwilling to do so for fear that there
may be a legitimate application another of their users has that
sends/receives on bogus and/or private addresses.
Thanks for the advice, Dan and Brett!
-- P