Re: Hardware Configuration Ideas

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Yes. In fact most cases of "advanced" firewalling only mean that you have a
stupid fw-design, like hundreds/thousands of rules in one chain :-). Usually can
be optimised by using sub-chains, ipset and/or ipt_ACCOUNT.

If someone has hundreds of rules in one chain (with out a _*VERY*_ good reason and even then) they need to be shot on the spot.  For performance reasons such a chain should be broken out in to a tree of chains an subchains that are jumped to in an attempt to minimize the number of rules that have to be traversed to get a match on any given packet.

What I was referring to by advanced firewalling was such things as running things like "-p udp -s 0.0.0.0/32 -d 255.255.255.255/32 --sport 68 --dport 67 -m addrtype --src-type broadcast -m pkttype --pkt-type broadcast" for DHCP requests. or complex SSH Brute Force prevention chains / rules, or recent lists to control what types of traffic will be valid based on what you have sent or is not valid b/c you have not sent any thing, or should packets with the reset flag have the ack flat set or not, etc.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux