On 28-jul-2007, at 22:11, Chris Buechler wrote:

> On 7/28/07, Peter Teunissen <lists at onemanifest dot net> wrote:
>>
>> Another thing I'm curious about is the preformance of such a huge
>> list of ip's. If I succeed, I'll post my findings.
>>
>
> My primary concern is webGUI performance. I've worked on installs
> requiring pretty ugly rulesets since m0n0wall can't do host, network,
> and port groupings.  The rules page with a couple hundred rules on a
> 4801 can take 30 seconds to load. It may take minutes to load a page
> with the thousands of rules that you would end up with, plus all the
> block rules would have to come before any pass rules so you would have
> to scroll all the way to the bottom of those to get to your pass
> rules.

Hm, the hostfile I'd like to use consists of 1280 lines, with a  
network range (like 58.14.0.0/15) on each line. I would need a rule  
for each, so that would probably swamp my PII. Won't work.
>
> Since Manuel's in the development mood today it seems, I'll make a
> suggestion.  :)  Adding host, network, and port groupings probably
> isn't that difficult. Though it would make a long back end rule set
> (10 hosts with 10 ports would be 100 rules), if that's what you
> require it's a lot better having 1 rule in the GUI than 100 rules. I
> have some installs where this would *really* help my sanity. I don't
> know how well ipfilter scales with huge rule sets, but I don't think
> it would be a major problem.
>
I sure hope Manuel could add this feature. Maybe it would even be  
possible to simply create such a group with a (url) link to a file.  
You could then simply update the file with a script or by hand and  
m0n0wall would simply update from the file without much hassle. Even  
if groupings would be possible, there's still the need for some  
interface to easily maintain such long lists of networks/host/ports.  
Doing that in external files would create enless posibillities  
without making m0n0wall's interface to complicated.


Just my 2ct.

Peter