[tlug] CPU cycles and packet filtering

[Godwin Stewart <gstewart@example.com>]

Hi all,

Just how much CPU power does packet filtering (iptables) suck up?

A while back, I decided that I was getting far too many "Relaying denied"
messages in my sendmail log files, so I decided plainly and simply to do the
blacklisting myself and block out certain subnets with my firewall. I now
have a list of about 20 subnets (mostly in Korea, mainland China, Taiwan and
Brazil, surprise surprise...) from which packets are not allowed to connect
to my MTA.

It's pretty much solved the logs filling up, but I was wondering if passing
packets through such long chains of rules was wasting more CPU power than
sendmail kicking in, carrying out its usual checks, logging the error and
bailing out.

Bearing in mind that nobody in the above-mentioned countries has any reason
to send me legitimate e-mail, and if someone does then they have other means
of getting hold of me, which method is better IYO? Firewall or MTA? The
processor on which my MTA is running is a Pentium-II 266MHz.

TIA

-- 
G. Stewart   --   gstewart@example.com
                  gstewart@example.com
Registered Linux user #284683

GnuPG key  : BA3D01C6 (pgp.mit.edu)
Fingerprint: C3DF C686 6572 6E59 E3E4  0F40 2B9A 2218 BA3D 01C6
---------------------------------------------------------------
Why is it that when you transport something by car it's
called shipment, but when you transport it by ship it's
called cargo?

Attachment: pgp00046.pgp
Description: PGP signature