[Shorewall-users] Zone Scalability

Tom Eastep teastep at shorewall.net
Wed Dec 3 11:19:13 PST 2003

On Wed, 2003-12-03 at 08:49, Matt Burleigh wrote:
> I'm happily running two four zone/four nic shorewall firewall 
> configuratoins. Great software, works as expected everytime! We are 
> conteplating a larger and more complex firewall configuration that may 
> include as many as twelve zones with trying to cram as many as 8+ 
> interfaces into a single machine. Are there any draw backs to this 
> amount of zones and interfaces into a single shorewall configuration?

The time required for [re]start is O(n**2) where n is the number of
zones. Specifying a lightweight shell such as 'ash' in SHOREWALL_SHELL
helps keep the [re]start time within acceptable limits.

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

More information about the Shorewall-users mailing list