Re: (PM) smtp filters on pm2e's

Doug Ingraham (dpi@rapidnet.com)
Thu, 28 May 1998 18:37:33 -0600 (MDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Robert Boyle: "Re: (PM) 2 networks in the same wire"
Previous message: MegaZone: "(PM) 2 networks in the same wire (fwd)"
In reply to: Frank Heinzius: "Re: (PM) smtp filters on pm2e's"

On Thu, 28 May 1998, Frank Heinzius wrote:

> Hiya,
>=20
> On 27 May 98, at 18:09, Doug Ingraham wrote:
>=20
> > On Wed, 27 May 1998, Todd M. Jagger wrote:
>=20
> > > 3) What is the impact on the pm's performance by putting these filte=
rs in
> > > place, assuming that the list of filters is not huge but maybe 25 or =
so
> > > entries? Is using a Choicenet server a better option than having the
> > > filters on the pm itself?
> >=20
>=20
> > I stopped using choicenet because it logs bogus error messages and
> > livingston acted like it was something I was doing wrong. On active
>=20
> D=B4oh...I use Choicenet for guest access, where I maintain a list of
> allowed Web sites for them. It works flawlessly on a PM3
> (3.8b15)...perhaps you tried ORs or PM2s, the latter are getting more
> and more overloaded with the new features...=20

Both PM-2's and PM-3 had the problem. I have a filter for every login
user. The bulk of the customers get a filter called block.in and
block.out which protect some of our NT servers by allowing access to
specific services. It also blocks out some of the win 95 stupidities for
misconfigured boxes. It was this filter that would cause problems. It
looked like the portmaster would attempt to load this filter from
choicenet for every login even if the filter was already loaded. And
sometimes it would report errors in the filter. The same filter that was
already loaded. So it actually did work because there was already a copy
in the box but it would log these stupid errors and I just hated those
error messages.

> ComOS=B4s filter parsing is very fast. I had filters with more than 50
> rules on an IRX-211 between the Ethernets, and discovered no significant
> latencies after applying the filters. Please note that filters are
> parsed sequentially. Each packet will be matched with the appropriate
> filter starting at rule 1. So put rules concerning critical traffic at
> the head of the list, if possible...=20

I meant to mention that I tried to see filter latency and was not able to
measure it with normal tools. I can't imagine filters that would be long
enough to cause difficulties. It should be no more than a few
microseconds latency per filter line if well implemented.

Doug Ingraham The best defense against logic is ignorance.
Rapid City, SD
USA

-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>

Next message: Robert Boyle: "Re: (PM) 2 networks in the same wire"
Previous message: MegaZone: "(PM) 2 networks in the same wire (fwd)"
In reply to: Frank Heinzius: "Re: (PM) smtp filters on pm2e's"