From: Alistair Tonner <Alistair@nerdnet.ca>
To: Chris Brenton <cbrenton@chrisbrenton.org>,
Peteris Krumins <newsgroups@lf.lv>
Cc: iptables mailing list <netfilter@lists.netfilter.org>
Subject: Re: Re[2]: efficient source address filtering and logging?
Date: Sun, 2 Nov 2003 08:35:31 -0500 [thread overview]
Message-ID: <200311020835.31617.Alistair@nerdnet.ca> (raw)
In-Reply-To: <1067773514.1562.26.camel@valhalla>
On November 2, 2003 06:45 am, Chris Brenton wrote:
> On Sun, 2003-11-02 at 05:29, Peteris Krumins wrote:
> > CB> Here is what I do in my script to specify my rules:
> >
> > CB> while read SPOOFED ; do
> > CB> iptables -A FORWARD -s $SPOOFED -j LOG --log-prefix " SPOOFING "
> > CB> iptables -A FORWARD -s $SPOOFED -j DROP
> > CB> done < spoofed_ips.txt
> >
> > This is wrong,
>
> I'm not sure what you mean by "wrong" as this works just fine.
>
> > to log/drop a single ip 2 lookups on the src addr have to be
> > performed.
>
> LOL! If you are worried about performing one extra file read when
> loading your rules, I think its time to upgrade your hard drive. ;-)
>
> > Instead a single chain should be created which all the spoofed packets
> > would jump. The single chain logs and drops.
> >
> > i=iptables
> > $i -N LOG_DROP
> > $i -A LOG_DROP -j LOG --log-prefix " SPOOFING "
> > $i -A LOG_DROP -j DROP
> >
> > while read SPOOFED;
> > do
> > $i -A FORWARD --src $SPOOFED -j LOG_DROP
> > done < spoofed_ips.txt
>
> Yup, this would work as well. I _personally_ like my way a little better
> because this way requires the traversal of of an additional rule for
> every IP packet that matches the ban list. This is going to have a
> greater performance impact than the additional file read mention above.
> Probably not a big deal if you are talking a home firewall, but it can
> make a difference if you have big pipes and/or large ban lists.
>
> HTH,
> C
Actually the point is in the first form (linear in FORWARD) you have to check
the IP TWICE ... (not FILE read during the load but checking the ?? skb ?? )
in the second form, once the lookup is done the packet is passed out to the
second chain and no other lookups of src_addr are required as the chain is
purpose built.
in small load/pipes this is negligible, however in very large load/pipes
there might be an issue ...
As to what load this might engender on the system .. I've no clue...
--
Alistair Tonner
nerdnet.ca
Senior Systems Analyst - RSS
Any sufficiently advanced technology will have the appearance of magic.
Lets get magical!
next prev parent reply other threads:[~2003-11-02 13:35 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-10-28 14:59 efficient source address filtering and logging? Robert P. J. Day
2003-10-28 15:26 ` James Pattie
2003-10-28 15:32 ` Robert P. J. Day
2003-10-28 15:30 ` Alistair Tonner
2003-10-28 15:33 ` Robert P. J. Day
2003-10-28 16:26 ` Chris Brenton
2003-11-02 10:29 ` Re[2]: " Peteris Krumins
2003-11-02 11:45 ` Chris Brenton
2003-11-02 13:35 ` Alistair Tonner [this message]
2003-11-02 13:48 ` Alistair Tonner
2003-11-04 3:55 ` Tarek W.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200311020835.31617.Alistair@nerdnet.ca \
--to=alistair@nerdnet.ca \
--cc=cbrenton@chrisbrenton.org \
--cc=netfilter@lists.netfilter.org \
--cc=newsgroups@lf.lv \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.