george wrote:
I've seen a few places telling me that you shouldn't filter in the
mangle table. However, it seems sensible to me to drop junk packets in
PREROUTING rather than have to duplicate those rules in both INPUT and
FORWARD.
Rather than taking an absolutely closed minded approach and trying to
convince you that I disagree and why, I'll ask this:
Are your (any one posting to this thread) statements based on things you
your self have experienced, or been told, or seen others experience, or
are they based on theory by the fact that you could improve efficiency
by filtering in the very first possible place?
What sort of system(s) are you using for your firewalls / routers?
What sort of bandwidth are they filtering?
How many rules are in your rule set(s)?
I ask, because I'd like to hear constructive discussion on both sides of
the fence.
I personally have always done my filtering in the filter table. I can
also say that I have never had a system even come close to weakening
under load. Granted most of my firewalls / routers are 233 MHz - 1 GHz
systems (what ever is laying around) with at least a quarter gig of
memory. I'm also only filtering / firewalling for SOHO (DSL / Cable) or
possibly a 10 / 100 network between subnets. I have had one system that
was filtering a full bleat 100 BaseT network and it never showed any
signs of failure or even slow down.
That being said, I could see why you might want to filter in
mangle:PREROUTING on a 486 with 16 MB RAM.
Thoughts / opinions / comments / critiques are welcomed and encouraged.
Grant. . . .
