On Sun, 21 Apr 2024 17:50:00 -0000
"William N." <netfilter@xxxxxxxxxx> wrote:
> On Sun, 21 Apr 2024 03:45:31 +0000 Eric wrote:
>
> > I'd be very interested in seeing some statistics on how many actual
> > invalid packets you see on a live link. Stick some counters in there
> > and collect dropped versus passed packets...
>
> This particular system is a desktop one (rebooted often), so that kind
> of stats won't make any sense.
>
> > My naive guess would be there are only tiny percentage of rejected
> > packets.
>
> Without a particular attack - quite possible. However, it is always
> good to learn what is better/worse/futile.
>
[Again, this is iptables; your mileage with nftables may vary.]
>From my firewall that's been up 30 days; I think these are reasonable numbers. It shows the total packets that passed PREROUTING, the packets from internet dropped due to my blocklists (which probably includes at least some INVALID packets), and the remaining INVALID packets from internet and internal sources. These two are the only DROPs in PREROUTING. Ballpark, about 0.5% of the packets are INVALID. Small, but not necessarily 'tiny'.
-----
*mangle
:PREROUTING ACCEPT [728638:3046835361]
[43686:2232175] -A PREROUTING -i eth3 \
-m set --match-set blockSetHost src -j blDrop
[37712:1840302] -A PREROUTING \
-m state --state INVALID -j invdrop
-----
Note that dropping them at the top of PREROUTING prevents them from passing through the rest of the rules in PREROUTING (and mangle), and rules in nat, and any rules in filter they might hit before finally being DROPped.
N
