On Sunday 01 August 2004 8:03 pm, Jason Opperisano wrote:
> <OT>
> Where is the new-found obsession with dropping packets in the NAT table
> coming from? </OT>
Indeed. A few people here have commented recently that they prefer dropping
stuff in the PREROUTING nat table instead of waiting until it hits INPUT or
FORWARD, for things like spoofed packets or invalid TCP flag combinations.
I guess dropping things in nat is okay in exceptional circumstances, but I
hardly think the efficiency boost of dropping in nat instead of waiting until
the first filter table is reached makes any noticeable difference, and I
still advocate doing address translation in the nat tables, filtering
operations in the filter tables, and anything else in the mangle tables.
Just so long as you remember never to set a default policy other than ACCEPT
on any nat or mangle tables.....
Regards,
Antony.
--
I own three Windows books, published by O'Reilly. They are "Windows
Annoyances", "Office 97 Annoyances" and "Windows 98 Annoyances". That
pretty much sums it up for me.
Please reply to the list;
please don't CC me.
