Re: Kazaa! iptables table sizes and performance
From: jack (not_at_all.org)
Date: 05/09/03
- Next message: jack: "Re: Kazaa! iptables table sizes and performance"
- Previous message: Hue-Bond: "Re: block CodeRed/Nimda at the firewall?"
- In reply to: Chris Lowth: "Kazaa! iptables table sizes and performance"
- Next in thread: jack: "Re: Kazaa! iptables table sizes and performance"
- Reply: jack: "Re: Kazaa! iptables table sizes and performance"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 09 May 2003 22:40:12 +0200
Chris Lowth wrote:
> I am working on a iptables module for kazaa blocking, based on an 'adaptive'
> approach - whereby I create REJECT rules for IP/port number pairs as the
> module identifies them as being Kazaa servers.
>
> It works fine, but I am fairly quickly creating quite a lot of rules - so
Just a thought...: Why not simply block that port range from $WORLD...?
> Does anyone have any 'real-life' experience of rule sets running into the
> thousands of rules? If so - do you notice much in the way of a performance
> hit?
There were vital and volatile discussions about like: "How many rules
would one need in a well configured environment?" -- Bottom line: If
You get a ruleset of tens, hundreds or even thousands of rules, You
must be doing something wrong...
> blocking - I dont accept the risk of blocking non-Kazaa traffic in my
> attempt to block Kazaa.
As said, simply block the respective port range (somewhere 'round 4662,
IIRC). Don't use this [well known] range for other services, and tell
others not to.
I had some "talk" (that by mail, You know) to developers of both kazaa
and edonkey (and some other, don't remember) asking them to come up
with some sort of "reject token" that a server can return in order to
stop those infinitely repeating connection attempts, as they seem to
ignore that You ignore them... - They said they weren't going to, so
I didn't feel like wasting my time on people like them. (One of the
replies said that after several hours, maybe 96 or some, the peers
would stop trying; why, they asked, would I not take part in that p2p
thing and advertise an empty sharing list which nobody would want,
anyway...) Me pointing out that there was a _lot_ of wasted band-
with due to unsuccessful connection attempts didn't bother them too
much - in the end, _they_ needn't pay for that.
Chris, DROP them. Give Your rulesets a rest.
Cheers, Jack.
-- ---------------------------------------------------------------------- My personal reading of the string "MicroSoft" expands to "NanoWeak"...
- Next message: jack: "Re: Kazaa! iptables table sizes and performance"
- Previous message: Hue-Bond: "Re: block CodeRed/Nimda at the firewall?"
- In reply to: Chris Lowth: "Kazaa! iptables table sizes and performance"
- Next in thread: jack: "Re: Kazaa! iptables table sizes and performance"
- Reply: jack: "Re: Kazaa! iptables table sizes and performance"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
