On Wed, Jan 05, 2005 at 02:30:43PM -0800, Bhasker Allam wrote: > There are a few situations that I can think of: > > - A spurious host/hosts sending garbage packets. If I > know either source IP/subnet or mac address I can put > in a filter and drop all the packets from spurious > souces with minimal effort. Why should I spend cycles > doing the route lookup ? -t mangle PREROUTING is an acceptable place to do "first things first" filtering/packet scrubbing. it's where i do things like anti-spoofing rules and invalid TCP flag combo rules. > - I could do policy based routing. That is, I want > packets from interface X or subnet S to go out on > interface Y all the rest go via the normal routing > path. From what I read this is not possible now. whatcha been reading? it's certainly possible: http://lartc.org/howto/lartc.rpdb.html > - If I use my linux box a router I could have policies > on different interface to do different things. For > example, I might not want packets arriving from > certain sources to reach certain destinations. It does > not matter whether I am forwarding or not. You could > say I could put that in the output filter, but my > argument why should I have go through route lookup if > I don't have to ? you're starting to toe the line as to what should go in your normal filter rules here--but that's just IMHO. -j -- "Beer. Now there's a temporary solution." --The Simpsons
