Re: [SLE] SuSEfirewall

Togan Muftuoglu writes:

* Mark Gray; on 13 May, 2003 wrote:

...

Write your own firewall script (if you take a look at the ouput of "iptables -L" while running SuSEfirewall you will get a good idea why it is running slow -- the iptables it sets up for even the simplest system is rather baroque :-)

out curiosity what makes you think it is baroque

It seems to me if you only use it to allow certain services, ACCEPT rules for those services with a default DROP policy should be sufficient, but SuSEfirewall will generate so many extraneous rules and user-defined chains that the top will scroll off the screen if you try to list it at the console. The only reason I can see for this is to allow it to continue to be written as a bash shell script and configured using only simple questions. Given that extraordinary effort went into making the Linux IP stack as efficient as possible -- zero copy, cache line alignment etc., it seems a waste for a packet to have to go through all those rules when an ACCEPT as early as possible in the chain is all that is necessary. (I am not really calling SuSE on the carpet for this -- I long ago decided it was too inflexible and far too complex for my simple needs and wrote my own script and kept my mouth shut until today. (You can blame excessive coffee (even for me) for my sudden outburst:-) Take a look at the output of 'iptables -L -v' for yourself it you are using SuSEfirewall, and compare it with the functionality you wanted when you answered all those questions, and trace a packet through that chain of rules to get an idea of what might be slowing down the original posters server.)