Hoeveel routing entries

On 2005-05-04, Eddy <eddy@invalid> wrote:
> A block ip-addresses from hackers, spammers and others with:
> /sbin/route add -host <ip-adres> reject

Why don't you use a firewall (and/or) a correct antispam configuration
for your mail server for this? This way the packets that are blocked
by the firewall don't even get to the routing part and you don't have
problems related to performance of the routing table.

Davide

--
It's no wonder they call it WinNT; WNT = VMS++;
-- Chris Abbey

Hoi,

Spammers, hackers, open proxies en ander ongewenst volk blokkeer ik op
m'n server met:

/sbin/route add -host <ip-adres> reject

De lijst is aardig gegroeit in de loop dertijd en "netstat -rn" levert
enkele honderden entries op. Wat zijn de performance of andere limieten
voor het aantal entries in de "routing" tabel (2.4.27 kernel)?

Eddy

Sorry... right question, wrong language...

Second attempt:

A block ip-addresses from hackers, spammers and others with:

/sbin/route add -host <ip-adres> reject

The list (netstat -rn) is getting larger and larger (few hundred
entries). What are the (performance) limits for the amount of routing
entries (2.4.27 kernel)?

Eddy

On 2005-05-04, Eddy <eddy@invalid> wrote:
> Can your firewall hold a thousand+ rules?

Yes. Well, isn't really smart to do (it takes a lot to load the whole
ruleset and maintenance is a pain), so is much better to 'cluster' the
whole stuff in subnets.

> It is not only for mail, but ssh, http, ftp ...etc.

I'd do the other way around: don't lock OUT the ones you don't want, but
allow IN only the ones you want.

> I don't have a performance problem (yet). I just want to know when the
> linux kernel gives up on my increasing routing table.

AFAIK the routing table start with a fixed size of 19 Mb, and then
increase using more memory. I don't remember of any 'limit' size.

Davide

--
I'm an apatheist. The question is no longer interesting, and the
answer no longer matters.
-- from alt.sysadmin.recovery

Davide Bianchi wrote:
> On 2005-05-04, Eddy <eddy@invalid> wrote:
>
>>A block ip-addresses from hackers, spammers and others with:
>>/sbin/route add -host <ip-adres> reject
>
>
> Why don't you use a firewall (and/or) a correct antispam configuration
> for your mail server for this?
Can your firewall hold a thousand+ rules? My Vigor can't.
It is not only for mail, but ssh, http, ftp ...etc.
(btw. Spamassassin and RBLs are already in place)


> This way the packets that are blocked
> by the firewall don't even get to the routing part and you don't have
> problems related to performance of the routing table.
I don't have a performance problem (yet). I just want to know when the
linux kernel gives up on my increasing routing table.

Davide Bianchi wrote:
> On 2005-05-04, Eddy <eddy@invalid> wrote:
>
>>Can your firewall hold a thousand+ rules?
>
>
> Yes. Well, isn't really smart to do (it takes a lot to load the whole
> ruleset and maintenance is a pain), so is much better to 'cluster' the
> whole stuff in subnets.
>
>
>>It is not only for mail, but ssh, http, ftp ...etc.
>
>
> I'd do the other way around: don't lock OUT the ones you don't want, but
> allow IN only the ones you want.
>
Heh heh heh, al 3 biljoen van hulle?