Le ven 10/10/2003 à 13:26, richard lucassen a écrit :
> I want all traffic on port 80 be handled by a userdefined chain
> "CH_WWW". Now my question: What is better, this way (I let the port
> 80 packets jump first, then I have _two_ ESTABLISHED,RELATED rules, as
> well in the INPUT as in the CH_WWW chain):
>
> ********************************************************************
> ${IPT} -A INPUT -p tcp --dport 80 -j CH_WWW
> ${IPT} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> [..]
>
> And an extra ESTABLISHED,RELATED in the CH_WWW:
> ${IPT} -A CH_WWW -m state --state ESTABLISHED,RELATED -j ACCEPT
> ${IPT} -A CH_WWW (first rule)
> [..]
> ********************************************************************
>
> or this (I have _one_ ESTABLISHED,RELATED rule, and then let port 80
> jump):
>
> ********************************************************************
> ${IPT} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> ${IPT} -A INPUT -p tcp --dport 80 -j CH_WWW
> [..]
>
> And an extra ESTABLISHED,RELATED in the CH_WWW:
> ${IPT} -A CH_WWW (first rule)
> [..]
> ********************************************************************
>
> Both ways work, but I'd say the second way is the best. Am I right?
I agree.
To me, theses two rulesets are equivalent for HTTP packets, but first
one implies one more rule evaluation than the second one for ESTABLISHED
packets that are destined to TCP/80.
PS : there's no RELATED packets in HTTP ;)
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
