All of lore.kernel.org
 help / color / mirror / Atom feed
From: Joel Newkirk <netfilter@newkirk.us>
To: Darrell Dieringer <netfilter@darrelldieringer.com>,
	netfilter@lists.samba.org
Subject: Re: Kaaza 2 jammer.
Date: Thu, 9 Jan 2003 21:18:21 -0500	[thread overview]
Message-ID: <200301092118.21946.netfilter@newkirk.us> (raw)
In-Reply-To: <IMEDICLPAGAOCBLCCKLPGENAEKAA.netfilter@darrelldieringer.com>

On Thursday 09 January 2003 01:58 pm, Darrell Dieringer wrote:
> I've always wondered something about the string matching, but never
> having used it, I haven't researched it enough to know...
>
> Wouldn't netfilter also see the string "KazzaClient" in this email
> message?  I can imagine how that might cause problems if the string
> matching rules aren't well crafted.
>
> I see in the example posted by Tomasz Wrona that it only applies to
> tcp packets forwared from the internal interface, narrowing the focus
> qiute a bit.  But wouldn't that also block an email message having
> that string if sent from an internal machine?
>
> Of course, the sender of that message may have indeed sent it from a
> client on his internal network, and since I'm reading it, it must have
> worked as intended.
>
> I imagine placing a string matching rule, like the example, _after_
> rules which accept other legitimate traffic (like smtp) would work
> completely fine.
>
> Looking for eduction on the topic.

With any rules you're usually better off accepting 'normal' traffic and 
very precise matches before trying to catch others.  This helps prevent 
the situation you mentioned, and it also helps with large rulesets to 
get the common traffic through the firewall with minimal testing 
necessary. (IE if all 3000 client machines have port 80 access, but only 
some have 110 and 25, don't waste time and power matching IP's for http) 

There are surely counter-examples that will come to mind, but as a 
general rule putting the most important/common traffic and most specific 
matches earlier in the chain is better.  Especially with things like 
DNAT to a DMZ, it is easy to break a service by putting a general rule 
ahead of a specific one, and if there are many rules (or subchains of 
rules) the cause may not be obvious.  Also, with a default DROP policy 
and mostly ACCEPT rules, you have to be careful where you put a DROP 
rule in the sequence, unless it is a very specific match.

Finally, in the case of the string match, it takes quite a bit more to 
search for a string in the packet than to compare IPs in the header, so 
you DON'T want to have this rule early in the chain if speed is an 
issue.  (and it usually is, isn't it?  :^)  As an experiment, try a site 
that measures bandwidth, (like http://bandwidthplace.com/speedtest/ ) 
then insert a string match rule (with no target, so the packets all 
continue past it) first in the INPUT chain and try again. I don't have 
p-o-m added in, so I don't have string match available to me.  I'm 
curious though how much overhead this match actually incurs....

> Darrell Dieringer - Madison, WI

j



  reply	other threads:[~2003-01-10  2:18 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <565759501.20030109180351@wp.pl>
2003-01-09 18:58 ` Kaaza 2 jammer Darrell Dieringer
2003-01-10  2:18   ` Joel Newkirk [this message]
2003-01-10  3:24     ` problem with ./runme in --batch mode. -- current p-o-m Alistair Tonner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200301092118.21946.netfilter@newkirk.us \
    --to=netfilter@newkirk.us \
    --cc=netfilter@darrelldieringer.com \
    --cc=netfilter@lists.samba.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.