[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] block using zonefiles
 Date:  Sat, 28 Jul 2007 16:11:03 -0400
On 7/28/07, Peter Teunissen <lists at onemanifest dot net> wrote:
> Another thing I'm curious about is the preformance of such a huge
> list of ip's. If I succeed, I'll post my findings.

My primary concern is webGUI performance. I've worked on installs
requiring pretty ugly rulesets since m0n0wall can't do host, network,
and port groupings.  The rules page with a couple hundred rules on a
4801 can take 30 seconds to load. It may take minutes to load a page
with the thousands of rules that you would end up with, plus all the
block rules would have to come before any pass rules so you would have
to scroll all the way to the bottom of those to get to your pass

Since Manuel's in the development mood today it seems, I'll make a
suggestion.  :)  Adding host, network, and port groupings probably
isn't that difficult. Though it would make a long back end rule set
(10 hosts with 10 ports would be 100 rules), if that's what you
require it's a lot better having 1 rule in the GUI than 100 rules. I
have some installs where this would *really* help my sanity. I don't
know how well ipfilter scales with huge rule sets, but I don't think
it would be a major problem.