Chris Buechler wrote:
> On 1/10/07, Ulrik Lunddahl (PROconsult) <ul at proconsult dot dk> wrote:
>> Hello list!
>> I have a customer who has a transaction server, the server recieves
>> small UDP packets and sends small UDP packets back to the requesting
>> He asks if he can use m0n0wall as a firewall, but im not sure.
>> He has arround 10.000 firewall rules premitting UDP packets for the
>> customers public IP adresses, how will m0n0wall handle this on modern PC
>> Is the session table, or xlate or what is's call large enough to handle
> That has no relation to the number of firewall rules. The max is 30K
> states - networks vary too widely for me to even venture to guess how
> many states that's using.
> With 10,000 firewall rules, loading the rules page is probably going
> to take forever and a day. The worst I've ever tried was about 150
> rules on a 4801 (266 MHz), and it took nearly a minute to fully load
> the rules page. Granted a 4801 isn't a fast box by any means, but even
> on a fast box it could take a couple minutes to load the rules page
> with 10K firewall rules. I'm not sure if anybody has an install using
> nearly that many rules.
> My first reaction to anyone that says they have 10K firewall rules is
> that they're not optimizing their ruleset, so I would definitely look
> for ways to shrink that list substantially (for reasons other than
> performance). It may not be the case here, but I've yet to see even a
> large complex network that needed remotely close to that many rules on
> a perimeter firewall.
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
I have several firewalls in production and never saw that much rules on
a firewall. I'd imagine that this is a typo! If this is real, i'd be
very curious to get a picture of the way the ended up having that much
rules! Is it because of a lack of knowledge or is it a really weird