On Wed, Jun 29, 2016 at 1:49 PM, Gordon Messmer
<gordon.messmer@xxxxxxxxx> wrote:
>
> By putting these rules first, before the "ESTABLISHED,RELATED" rule, you're
> applying additional processing (CPU time) to the vast majority of your
> packets for no reason. The "E,R" rule should be first. It won't match the
> invalid packets you're trying to drop.
>
> You're not specifying the "new" state in any of your input ACCEPT rules,
> which means that you're also ACCEPTing invalid packets that don't match the
> handful of invalid states you DROPped earlier.
>
>> 1. The drop commands at the beginning of each chain is for increase
>> performance.
>
>
> I understand what you're trying to do, but in the real world, this will
> decrease performance.
>
Gordon,
I appreciate your observations.
I've been using iptables for a long time and still don't really know
how to configure the order of rules to optimize performance while
providing thorough filtering as a component of security.
Can you share links and/or other sources and guides on this subject.
Thank you.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
