From: Joel Newkirk <netfilter@newkirk.us>
To: Darrell Dieringer <netfilter@darrelldieringer.com>,
netfilter@lists.samba.org
Subject: Re: Kaaza 2 jammer.
Date: Thu, 9 Jan 2003 21:18:21 -0500 [thread overview]
Message-ID: <200301092118.21946.netfilter@newkirk.us> (raw)
In-Reply-To: <IMEDICLPAGAOCBLCCKLPGENAEKAA.netfilter@darrelldieringer.com>
On Thursday 09 January 2003 01:58 pm, Darrell Dieringer wrote:
> I've always wondered something about the string matching, but never
> having used it, I haven't researched it enough to know...
>
> Wouldn't netfilter also see the string "KazzaClient" in this email
> message? I can imagine how that might cause problems if the string
> matching rules aren't well crafted.
>
> I see in the example posted by Tomasz Wrona that it only applies to
> tcp packets forwared from the internal interface, narrowing the focus
> qiute a bit. But wouldn't that also block an email message having
> that string if sent from an internal machine?
>
> Of course, the sender of that message may have indeed sent it from a
> client on his internal network, and since I'm reading it, it must have
> worked as intended.
>
> I imagine placing a string matching rule, like the example, _after_
> rules which accept other legitimate traffic (like smtp) would work
> completely fine.
>
> Looking for eduction on the topic.
With any rules you're usually better off accepting 'normal' traffic and
very precise matches before trying to catch others. This helps prevent
the situation you mentioned, and it also helps with large rulesets to
get the common traffic through the firewall with minimal testing
necessary. (IE if all 3000 client machines have port 80 access, but only
some have 110 and 25, don't waste time and power matching IP's for http)
There are surely counter-examples that will come to mind, but as a
general rule putting the most important/common traffic and most specific
matches earlier in the chain is better. Especially with things like
DNAT to a DMZ, it is easy to break a service by putting a general rule
ahead of a specific one, and if there are many rules (or subchains of
rules) the cause may not be obvious. Also, with a default DROP policy
and mostly ACCEPT rules, you have to be careful where you put a DROP
rule in the sequence, unless it is a very specific match.
Finally, in the case of the string match, it takes quite a bit more to
search for a string in the packet than to compare IPs in the header, so
you DON'T want to have this rule early in the chain if speed is an
issue. (and it usually is, isn't it? :^) As an experiment, try a site
that measures bandwidth, (like http://bandwidthplace.com/speedtest/ )
then insert a string match rule (with no target, so the packets all
continue past it) first in the INPUT chain and try again. I don't have
p-o-m added in, so I don't have string match available to me. I'm
curious though how much overhead this match actually incurs....
> Darrell Dieringer - Madison, WI
j
next prev parent reply other threads:[~2003-01-10 2:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <565759501.20030109180351@wp.pl>
2003-01-09 18:58 ` Kaaza 2 jammer Darrell Dieringer
2003-01-10 2:18 ` Joel Newkirk [this message]
2003-01-10 3:24 ` problem with ./runme in --batch mode. -- current p-o-m Alistair Tonner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200301092118.21946.netfilter@newkirk.us \
--to=netfilter@newkirk.us \
--cc=netfilter@darrelldieringer.com \
--cc=netfilter@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.