[lug] Personal Server Behind DSL Router
Ken MacFerrin
lists at macferrin.com
Fri Jan 12 11:27:53 MST 2007
Zan Lynx wrote:
> On Thu, 2007-01-11 at 21:37 -0700, Ken MacFerrin wrote:
>>> I typically don't run iptables on a box like this because all the
>>> services it provides are public. So there isn't anything for iptables
>>> to block (obviously there are some other useful things iptables can do).
>> Why wouldn't you firewall each machine? This provides an additional
>> layer of protection for your server in case another machine in your
>> internal network is compromised (ie: your visiting relative that wants
>> to use their spyware filled XP laptop at the house). Given the small
>> memory footprint and simplicity of setting up something like shorewall I
>> can't see why not to turn it on..
>
> Well, for an actual *server* server, like one running on an internal
> company LAN where it can actually approach using significant fraction of
> a 100 Mbps Ethernet . . .
>
> You turn off iptables and all netfilter code so that your server doesn't
> suffer the CPU overhead of connection tracking.
>
Good point..
> Netfilter can also screw up networking zero-copy, I believe, although I
> may be remembering what I read about some of those network offload cards
> Linus doesn't like. (The theory there is that the card handles all the
> TCP packeting, and simply DMAs datastreams to/from main memory. Like
> Infiniband RDMA but over Ethernet.)
>
> Speaking of that, I wonder if anyone has Linux drivers for the KillerNIC
> yet (It's Linux on a card, doing network offload for Windows).
I've heard this thing has turned out to be a lot of hype and very little
performance. Reading the reviews from buyers on newegg many are very
unhappy.
-Ken
More information about the LUG
mailing list