On November 2, 2003 06:45 am, Chris Brenton wrote:
> On Sun, 2003-11-02 at 05:29, Peteris Krumins wrote:
> > CB> Here is what I do in my script to specify my rules:
> >
> > CB> while read SPOOFED ; do
> > CB> iptables -A FORWARD -s $SPOOFED -j LOG --log-prefix " SPOOFING "
> > CB> iptables -A FORWARD -s $SPOOFED -j DROP
> > CB> done < spoofed_ips.txt
> >
> > This is wrong,
>
> I'm not sure what you mean by "wrong" as this works just fine.
>
> > to log/drop a single ip 2 lookups on the src addr have to be
> > performed.
>
> LOL! If you are worried about performing one extra file read when
> loading your rules, I think its time to upgrade your hard drive. ;-)
>
> > Instead a single chain should be created which all the spoofed packets
> > would jump. The single chain logs and drops.
> >
> > i=iptables
> > $i -N LOG_DROP
> > $i -A LOG_DROP -j LOG --log-prefix " SPOOFING "
> > $i -A LOG_DROP -j DROP
> >
> > while read SPOOFED;
> > do
> > $i -A FORWARD --src $SPOOFED -j LOG_DROP
> > done < spoofed_ips.txt
>
> Yup, this would work as well. I _personally_ like my way a little better
> because this way requires the traversal of of an additional rule for
> every IP packet that matches the ban list. This is going to have a
> greater performance impact than the additional file read mention above.
> Probably not a big deal if you are talking a home firewall, but it can
> make a difference if you have big pipes and/or large ban lists.
>
I disagree with this logic. You have more work in matching ip's twice
in the FORWARD chain than matching them once and dumping them
to a straight log and drop.
Even further, method 1 adds {spoofed ip count}*2 rules to the base
method 2 adds {spoofed ip count}+2 rules to the base.
memory saving if I don't misunderstand.
> HTH,
> C
--
Alistair Tonner
nerdnet.ca
Senior Systems Analyst - RSS
Any sufficiently advanced technology will have the appearance of magic.
Lets get magical!
