* Mark Gray;
Togan Muftuoglu
writes: It seems to me if you only use it to allow certain services, ACCEPT rules for those services with a default DROP policy should be sufficient, but SuSEfirewall will generate so many extraneous rules and user-defined chains that the top will scroll off the screen if you try to list it at the console. The only reason I can see for this is
Not necessarily depends how you configure it "to err is human"
to allow it to continue to be written as a bash shell script and configured using only simple questions. Given that extraordinary effort went into making the Linux IP stack as efficient as possible -- zero copy, cache line alignment etc., it seems a waste for a packet to have to go through all those rules when an ACCEPT as early as possible in the chain is all that is necessary.
SuSEfirewall2 that comes with 8.1 and 8.2 is actually faster then previous versions due to the created chains Well you can reduce the generated rules by: 1. Only put in the network interfaces you really need. 2. Disable Logging 3 Set FW_PROTECT_FROM_INTERNAL to no 4. Disable the service autoprotecting feature 5. Set all FW_ALLOW_* and FW_SERVICE_* to no 6. Do not use routing or masquerading :-) 7. Only enable routing/services you really need and make the statements as general as possible to reduce the number of definitions.
SuSEfirewall, and compare it with the functionality you wanted when you answered all those questions, and trace a packet through that chain of rules to get an idea of what might be slowing down the original posters server.)
Well we do not know the hardware details of the OP as he mentioned he converted from RH 5.0 to SuSE 8.1 could be an old 486 which I would say lacks necessary power for the goodies you ention in the kernel :-) -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx