On Thu, 1 Dec 2005 Frank.Mayer@xxxxxxxxxxxxxxxxx wrote: > > In my opinion it's wasting of resources to specify any other matching > > together with '-m state --state NEW,ESTABLISHED' if you set up proper > > rules for matching NEW packets. > I'm not sure I understand.... > It's true I can (and often do) add a rule similar to > iptables -A FORWARD -s 0/0 -d 0/0 -p tcp -m state --state > ESTABLISHED -j ACCEPT > as some "catch-it-all". The '-s 0/0 -d 0/0' matches buy nothing, they express the default. But why do you specify the protocol? Will you enter similar rules for UDP and ICMP as well? Then netfilter has to process two-three rules instead of one. And if you already let in the packet which created the connection, then the state matching is perfectly enough to match all subsequent packets in the same stream. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
