Am 24.10.24 um 00:10 schrieb Matt Zagrabelny:
Greetings, I have, what could be, a simple question. Do folks put their connection tracking rules near the top (earlier rule) of their ruleset, or near the bottom (later rule)? I used to believe that it "made sense" to have the conntrack rules earlier in the rule set, because the packets would be related/established and wouldn't need to hit the other rules unnecessarily. However, the conntrack requires more kernel memory to track the packets. Therefore if every connection is tracked, then that would drive up the memory required for having the conntrack track every connection/packet - thus possibly exhausting the memory and not allowing other packets through.
completly irrelevant the conntrack happens no matter where your rules are long before