Pascal Hambourg wrote:
Florin Andrei a écrit :
Since HTTP is the only thing traversing the firewall,
Really ? No ICMP error messages, no outgoing DNS queries ?
Right, some ICMP stuff required by TCP, which can also be handled stateless.
DNS is separate. The traffic on the "master blaster" is kept very simple.
I stumbled upon "-t raw" and I'm testing it, looks like it does what I
need.
If you mean using the NOTRACK target, this is a bad idea. Packets in the
UNTRACKED state will be ignored by the connection tracking *and* thus by
the stateful NAT which depends on it.
You're right. :-(
I assume I can still pretend that conntrack does not exist, and just
write the rules as if it was a stateless firewall. It will waste CPU
cycles and memory, but that's fine. I can even tweak the netfilter
parameters so that the connection tracking expires much faster, to keep
the size down.
A stateless firewall will fail over much more quickly and more reliably
than any stateful firewall.
I would use conntrackd, I just don't know how well tested it is in
high-bandwidth high-reliability setups. I may revise that decision, but
right now I'm focusing on stateless.
Security with stateless should not be a problem in such a simple
configuration (only one open port, well-behaved protocol, all traffic
initiated from outside).
Grant Taylor wrote:
>
> Dare I ask why you are wanting to use Proxy ARP?
Well, it's required by DNAT, isn't it? It looks like even SNAT to an
address different than the main IP on the firewall interface requires it
for the return traffic.
I'm snooping the traffic, I see the ARP request for the DNAT'ed address,
but there's no reply. So the firewall must be told to answer that request.
I'm not yet sure why this is so complicated. I remember doing proxy ARP
on Slackware 10 years ago (that was, like, kernel 2.0 or something like
that) and it was a very straightforward job.
<sigh> back to doing tests.
--
Florin Andrei
http://florin.myip.org/
