[lug] Personal Server Behind DSL Router

Ken MacFerrin lists at macferrin.com
Fri Jan 12 11:27:53 MST 2007

Zan Lynx wrote:
> On Thu, 2007-01-11 at 21:37 -0700, Ken MacFerrin wrote:
>>> I typically don't run iptables on a box like this because all the
>>> services it provides are public.  So there isn't anything for iptables
>>> to block (obviously there are some other useful things iptables can do).
>> Why wouldn't you firewall each machine?  This provides an additional
>> layer of protection for your server in case another machine in your
>> internal network is compromised (ie: your visiting relative that wants
>> to use their spyware filled XP laptop at the house). Given the small
>> memory footprint and simplicity of setting up something like shorewall I
>> can't see why not to turn it on..
> Well, for an actual *server* server, like one running on an internal
> company LAN where it can actually approach using significant fraction of
> a 100 Mbps Ethernet . . .
> You turn off iptables and all netfilter code so that your server doesn't
> suffer the CPU overhead of connection tracking.  

Good point..

> Netfilter can also screw up networking zero-copy, I believe, although I
> may be remembering what I read about some of those network offload cards
> Linus doesn't like.  (The theory there is that the card handles all the
> TCP packeting, and simply DMAs datastreams to/from main memory.  Like
> Infiniband RDMA but over Ethernet.)
> Speaking of that, I wonder if anyone has Linux drivers for the KillerNIC
> yet (It's Linux on a card, doing network offload for Windows).

I've heard this thing has turned out to be a lot of hype and very little
performance.  Reading the reviews from buyers on newegg many are very

More information about the LUG mailing list