discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

RE: [opennic-discuss] iptables rules inefficient

From: Éric Boucher <bouchereric0000 AT hotmail.com>
To: "discuss AT lists.opennicproject.org" <discuss AT lists.opennicproject.org>
Subject: RE: [opennic-discuss] iptables rules inefficient
Date: Thu, 23 May 2013 11:43:46 -0400
Importance: Normal

This is great changes... May i ask for your rules so i can add it to mine ?

Thanks,

Éric

Date: Thu, 23 May 2013 09:19:29 +0200
From: dns AT psilo.org
To: discuss AT lists.opennicproject.org
Subject: Re: [opennic-discuss] iptables rules inefficient

Yes I see a big difference looking at the bandwidth graphs.

Without the iptables filters:

Now WITH the iptables filters:

The average output has been divided by 1000.

Psilo

2013/5/23 Julian DeMarchi <julian AT jdcomputers.com.au>

On 05/21/2013 02:11 AM, Psilo wrote:
> Thanks for your answer.
>
> However I just found out the filter is actually efficient, just the dnstop
> tool captures the packets before they are filtered.
>
> Now I use "dnstop eth0 -R" to see only DNS replies instead of queries, and
> there is nothing with "isc.org" or "ripe.net".
>
> Sorry about this mistake.

If you're blocking on box then you are still going to be receiving a
load of traffic. There is no way to stop the inbound traffic. However by
not responding you should see the traffic drop by a half.

I had to kill a DNS server off last year as the inbound traffic was
still killing me in B/W costs.

--julian

--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

Re: [opennic-discuss] iptables rules inefficient, (continued)