Re: Kazaa! iptables table sizes and performance

From: jack (
Date: 05/09/03

Date: Fri, 09 May 2003 22:40:12 +0200

Chris Lowth wrote:
> I am working on a iptables module for kazaa blocking, based on an 'adaptive'
> approach - whereby I create REJECT rules for IP/port number pairs as the
> module identifies them as being Kazaa servers.
> It works fine, but I am fairly quickly creating quite a lot of rules - so

Just a thought...: Why not simply block that port range from $WORLD...?

> Does anyone have any 'real-life' experience of rule sets running into the
> thousands of rules? If so - do you notice much in the way of a performance
> hit?

There were vital and volatile discussions about like: "How many rules
would one need in a well configured environment?" -- Bottom line: If
You get a ruleset of tens, hundreds or even thousands of rules, You
must be doing something wrong...

> blocking - I dont accept the risk of blocking non-Kazaa traffic in my
> attempt to block Kazaa.

As said, simply block the respective port range (somewhere 'round 4662,
IIRC). Don't use this [well known] range for other services, and tell
others not to.

I had some "talk" (that by mail, You know) to developers of both kazaa
and edonkey (and some other, don't remember) asking them to come up
with some sort of "reject token" that a server can return in order to
stop those infinitely repeating connection attempts, as they seem to
ignore that You ignore them... - They said they weren't going to, so
I didn't feel like wasting my time on people like them. (One of the
replies said that after several hours, maybe 96 or some, the peers
would stop trying; why, they asked, would I not take part in that p2p
thing and advertise an empty sharing list which nobody would want,
anyway...) Me pointing out that there was a _lot_ of wasted band-
with due to unsuccessful connection attempts didn't bother them too
much - in the end, _they_ needn't pay for that.

Chris, DROP them. Give Your rulesets a rest.

Cheers, Jack.

My personal reading of the string "MicroSoft" expands to "NanoWeak"...