On Sat, Jan 17, 2009 at 10:43 AM, Mike McGrath <mmcgrath@xxxxxxxxxx> wrote: > On Fri, 16 Jan 2009, Frank Chiulli wrote: > >> Mike, >> First let me say that the examples are a great addition to the page. >> >> I was looking at the iptables sample configuration and had some >> questions. I compared your suggested configuration to my current >> configuration (Fedora 10). With the exception of the lines with >> '--tcp-flags' in your sample configuration, they're pretty close. I >> don't have those yet. The first three lines that start with '-A' in >> your sample are the same as mine except the order is different. Does >> the order make a difference? >> >> Here are the lines from my file: >> -A INPUT -m state --state ESTABLISHED,RELATED -j accept >> -A INPUT -p icmp -j ACCEPT >> -A INPUT -i lo -j ACCEPT >> >> Here are yours: >> -A INPUT -i lo -j ACCEPT >> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> -A INPUT -p icmp -j ACCEPT >> > > The order isn't that important though I should really have > established,related come first. The main reason for this is because > IPTables runs like a list, any already approved content doesn't have to > get checked against much of the list but instead is automatically > approved. It used to be that the state lookup might take more 'energy' than the general accept.. and some servers which threw mostly stuff over loopback in single packets would experience a higher load than others. That is probably an issue that is not as relevant today as it was in the past.. but the general rule was get easy decisions done quickly, do hard ones later (especially if you were in a very hostile/noisy network). I think that theory would need to be tested again as the iptables weight for dealing with state is different from when you found a higher CPU and some packet delay if you didn't just drop worm port traffic first and then dealt with state. - > This has security implications but for most setups its a good policy. > I'll actually move that up now and refresh that page soon. > -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
