firewalld - A firewall daemon with D-BUS interface providing a dynamic firewall (test version)
dennisml at conversis.de
Sun Jan 2 16:56:13 UTC 2011
On 01/02/2011 04:57 PM, Genes MailLists wrote:
> On 01/02/2011 06:16 AM, Thomas Woerner wrote:
>> On 12/27/2010 08:42 PM, Casey Dahlin wrote:
>>>> Can I ask a stupid question? Does dbus have the kind of performance
>>>> necessary to support this type of application?
>>> What kind of performance do you think is necessary? Its just a
>>> configuration interface, its not like its pushing all your packets
>>> through dbus or asking the bus every time it needs to make a routing
>>> decision (or did I miss something? I'd certainly hope not).
>> There will be an optional firewall mode, where you can define firewall
>> features, the user will be asked about, but this will be limited to new
>> connection attempts and not all packets in an established connection.
> I have no idea how you're implenting this - but if you're using
> iptables to change the rules the performance can be truly awful when you
> have more than a few rules. (I have a lot of rules on our primary border
> I switched to iptables-restore and got 2 orders of magnitude speedup
> (yes that is indeed over 100 times faster!!) - something to consider.
I think iptables-restore uses libiptc to manipulate the rules. The problem
is that according to the netfilter FAQ libiptc isn't officially supported
but I asked about that on the mailing list. I've always wondered how to
properly manipulate iptables rules from say C/C++ (or any "not shell"
language) in a safe manner.
More information about the devel