On Thursday 08 July 2004 7:07 pm, Erik Wikström wrote:
> On Thu, Jul 08, 2004 at 06:28:49PM +0100, Antony Stone wrote:
> > On Thursday 08 July 2004 6:10 pm, Erik Wikström wrote:
> >
> > I would turn the question around to you: why do you think it is better to
> > have the rules arranged into different chains as you have suggested? Do
> > you think that is easier to understand? (If you *do* find it easier to
> > understand, then go ahead and do it, don't do what *I* find easy to work
> > with.)
>
> My thought was that by sorting the packets by type at first and then
> make a more througout filtering I would avoid the overhead of having,
> for example, a UDP packet go through a lot of rules concerning TCP-
> packets. But, as you say it leads to a quite complicated structure, but
> since the firewall is quite old (75MHz) and a lot of P2P traffic is
> passing through I thought that it might have some value.
Well, a good policy is to have the rules which match the most packets at the
top of the ruleset (so that most packets pass through a small number of rules
before being matched). This is why the stateful rule "-m state --state
ESTABLISHED,RELATED" is the very first rule in most people's rulesets.
A good way to find out what order to put the rules in is to guess, and then
after some reasonable amount of traffic has passed through the firewall, use
"iptables -L -nvx" to see the packet / byte counters in the first two
columns. Rearrange your rules so that the ones with the highest packet (not
byte) counts come first, and you have a pretty optimum design.
Regards,
Antony.
--
There's no such thing as bad weather - only the wrong clothes.
- Billy Connolly
Please reply to the list;
please don't CC me.
