[PLUG] iptables vs sendmail access.db ?

Ed Sawicki ed at alcpress.com
Thu Feb 8 19:25:22 UTC 2007


Russ (YAR) Gilman-Hunt wrote:
> if I use uceprotect.de's level 1 spam blocking list, it's set up as a
> sendmail access list. I can alternatively parse it and set up iptables
> rules with all of those ip addresses (though this is against
> uceprotect.de's usage agreement)
> 
> If I treat making the computer rebuild the access database versus
> making the computer parse the iptables rules as being 0, which would be
> easier on the system, making sendmail check a 100,000 entry access.db
> file or making the kernel check 100,000 iptables rules?

I've dealt with this issue several times recently.
I don't know what your definition of "easier on the
system" is, but I'd say that an indexed database is
much better than a linear search through 100,000
firewall rules.

Although, I did once have to use the firewall approach
with about 10,000 rules. I organized the rules in
chains of /8 networks. Thus, no one chain had more than
a few hundred rules. It worked well.

As for indexed databases, I recently ran benchmarks
on Berkeley DB versus Bernstein's CDB. CDB was about
twice as fast.

Another approach is to use your own private DNSBL.

Ed




More information about the PLUG mailing list