On Thu, 2007-01-18 at 08:25 -0600, Grant Taylor wrote: > george wrote: > > I've seen a few places telling me that you shouldn't filter in the > > mangle table. However, it seems sensible to me to drop junk packets in > > PREROUTING rather than have to duplicate those rules in both INPUT and > > FORWARD. > > Rather than taking an absolutely closed minded approach and trying to > convince you that I disagree and why, I'll ask this: > > Are your (any one posting to this thread) statements based on things you > your self have experienced, or been told, or seen others experience, or > are they based on theory by the fact that you could improve efficiency > by filtering in the very first possible place? The efficiency theory. > > What sort of system(s) are you using for your firewalls / routers? It's a VIA miniITX 600M with 521M RAM but it's also my SOHO/home almost everything except shared storage server. (Yes I know but the risk to SOHO doesn't merit running multiple boxes). > What sort of bandwidth are they filtering? 100M LAN with single figures boxes to 2M ADSL.# > How many rules are in your rule set(s)? 3 in nat (really doing nat) 20 in mangle (including the arguable ones) 80 in filter > > I ask, because I'd like to hear constructive discussion on both sides of > the fence. > > I personally have always done my filtering in the filter table. I can > also say that I have never had a system even come close to weakening > under load. Granted most of my firewalls / routers are 233 MHz - 1 GHz > systems (what ever is laying around) with at least a quarter gig of > memory. I'm also only filtering / firewalling for SOHO (DSL / Cable) or > possibly a 10 / 100 network between subnets. I have had one system that > was filtering a full bleat 100 BaseT network and it never showed any > signs of failure or even slow down. > > That being said, I could see why you might want to filter in > mangle:PREROUTING on a 486 with 16 MB RAM. > > Thoughts / opinions / comments / critiques are welcomed and encouraged. > > > > Grant. . . . > >
