Am 24.10.24 um 00:10 schrieb Matt Zagrabelny:
Greetings,
I have, what could be, a simple question.
Do folks put their connection tracking rules near the top (earlier
rule) of their ruleset, or near the bottom (later rule)?
I used to believe that it "made sense" to have the conntrack rules
earlier in the rule set, because the packets would be
related/established and wouldn't need to hit the other rules
unnecessarily.
However, the conntrack requires more kernel memory to track the
packets. Therefore if every connection is tracked, then that would
drive up the memory required for having the conntrack track every
connection/packet - thus possibly exhausting the memory and not
allowing other packets through.
So, now I am wondering if the conntrack rules should (always?) go at
the end of my ruleset.
and how do you you imagine they would do anything at the end of the
ruleset?
the rule for the new connection would also hit related/established and
after ACCEPT your rule at the end won't ever hit because anything not
accepted before will not match anyways and reach the final DROP
the whole purpose of conntrack is to save walking through the whole
ruleset and over 90% of all packages are related/established - so put
them on the top and don't try to over-engineer things you obviously have
no clue how they work behind the scenes
