On Fri, May 20, 2005 at 02:03:47PM -0500, Taylor, Grant wrote:
> >Why is filtering in -t mangle not also poor form?
>
> I believe that you are really suppose to do the filtering in the filter
> table. But seeing as how the kernel will respond to the traceroute packet
> that comes in before the rules in the filter table could DROP the packet we
> have to do this filtering elsewhere to beat the kernel to the punch.
> Jason, do you have any additional comments / corrections?
well--the different chains are there for a reason. you have a filter
table for filtering packets, you have a nat table for translating
addresses...use them for their intended purpose.
one reason to not filter in nat is that not every packet traverses the
chains in the nat table, only --state NEW packets traverse the chains in
nat. that alone should be enough of an argument that the nat table is
not intended for packet filtering.
another reason is maintainability. i had a guy on IRC tearing his
hair out yesterday because he couldn't figure out why his packets
weren't getting through. he added all the necessary rules to allow
the traffic, but no dice. turns out he had a DROP rule in his nat
table...in POSTROUTING no less... if he had just dropped the $%^#
packet in filter, it never would've gotten to nat POSTROUTING anyways.
if you desire to maintain large numbers of large-scale firewalls without
spending every waking moment caring for them, you need to do things in
an easy-to-maintain way. filtering packets in a table not intended for
that purpose doesn't fall into this methodology.
so like i said, "it's poor form." i'm not saying it's wrong, or that
you can't do it, but in my opinion; as a guy who's dealt with firewall
systems for a good long while now--it's not "best practice."
especially considering that we all have the wondrous mangle table
available to us, which *is* traversed by every packet, and gives us an
opportunity to do some pre-filter table scrubbing.
-j
--
"Stewie: Met her on my CB / said her name was Mimi / Sounded like
an angel'd come to earth (come to earth) / When I went to meet her /
Man, you should have seen her / Twice as tall as me, three times
the girth."
--Family Guy
