[PLUG] iptables vs sendmail access.db ?
Kurt Sussman
plug at merlot.com
Thu Feb 8 19:56:04 UTC 2007
Russ Gilman-Hunt (gilmanhunt at comcast.net) typed this ...
> if I use uceprotect.de's level 1 spam blocking list, it's set up as a
> sendmail access list. I can alternatively parse it and set up iptables
> rules with all of those ip addresses (though this is against
> uceprotect.de's usage agreement)
I use the level 1 list, but it doesn't seem to be catching significantly
more spam that the level 2 list. I also see about the same number of
false positives. Just a data point; the level 2 list is about 10% as
large as the level 1 list.
> If I treat making the computer rebuild the access database versus
> making the computer parse the iptables rules as being 0, which would be
> easier on the system, making sendmail check a 100,000 entry access.db
> file or making the kernel check 100,000 iptables rules?
The db is going to be extremely fast, and iptables is a kernel module,
with any interrupt protection that may include (I freely admit ignorance
of how interrupts are handled when executing inside a kernel module).
If iptables really walks a list of rules to find matches for each
packet, that would be far more expensive than a user-space db lookup.
Postfix only processes about 1100 emails per day on my server, and I see
no increase in load between no UCEprotect list and the level 1 list.
--Kurt
--
----------------------------------------------------------------------
Merlot Research Group, Inc http://www.merlot.com
kls[at]merlot.com GPG key 82505A74 GTalk: ratbelt
More information about the PLUG
mailing list