Re: a sort of n00b question here but I'ld like to know.

Re: a sort of n00b question here but I'ld like to know.

[Eric Marchionni]

SBlaze wrote:

>As I said this is probably a n00bish question but i'm curious. Since iptables
>is hooked into the kernel; would it show up as usage in the top or uptime statistics?
>
i'd like to know that as well ;-D

cheers,
eric

RE: a sort of n00b question here but I'ld like to know.

[Daniel Chemko]

For RAM: /proc/slabinfo gives you a lot of memory allocation info. The
second column is the 'number of objects' and the third column is the
'size of object'

For CPU: the 'system' on the CPU states field handles the cpu load on
the system.

For disk: there is not a consideration. Netfilter shouldn't be affected
by disk I/O.

The only serious slowdowns I had with Netfilter were when I had a memory
leak. I had 2.4.20 redhat derived kernel with a semi-recent
patch-o-matic. 

The memory kept on building up, and eventually I was so short on memory
that the whole system started grinding doing anything. I updated to
2.4.22 and the problem has totally disappeared, as well as those
annoying slowdowns. 

RE: a sort of n00b question here but I'ld like to know.

[Daniel Chemko]

Iptables is just a program that loads your rules into the kernel. The
kernel modules running to support the firewall system is commonly known
as 'Netfilter'.

These modules run under the networking sub-system in the kernel, so it
doesn't need to spawn a kernel process. Kernel processes are the
programs with [ ] around them when running ps.

I think you can have non-kernel processes with the [], but I don't know
when that is the case.

-----Original Message-----
From: Eric Marchionni [mailto:mailing-lists@gmx.ch] 
Sent: Monday, October 20, 2003 4:37 PM
To: netfilter@lists.netfilter.org
Subject: Re: a sort of n00b question here but I'ld like to know.

SBlaze wrote:

>As I said this is probably a n00bish question but i'm curious. Since
iptables
>is hooked into the kernel; would it show up as usage in the top or
uptime statistics?
>
i'd like to know that as well ;-D

cheers,
eric

RE: a sort of n00b question here but I'ld like to know.

[SBlaze]

That's really nice information. Thanks for sharing it with me. However, this
still leaves the question I asked yet to be answered. Since it's not an
"official" process(I knew that already)does it show up in the CPU usage
statistics?

ie

root@nixn00b:~# uptime
 20:32:26 up 11 days, 19:56,  4 users,  load average: 0.00, 0.00, 0.00


The reason I ask is that I have what I think is an unusual amount of inbound
unsolicited udp traffic(which is dropped by iptables/netfilter). I also have
really bad ping times to games alot of the times. In trying to track down the
culprut for this I am looking first at my own setup. If iptables/netfilter does
not show up in the load adverage....then perhaps my hardware is to blame? I
really hate to believe the problem is with my Linux box...but I want to rule it
out and move onto the next idea as to the problem.

Thanks Alot for any info in advance. Perhaps this is one for the netfilter FAQ?
SBlaze



--- Daniel Chemko <dchemko@smgtec.com> wrote:
> Iptables is just a program that loads your rules into the kernel. The
> kernel modules running to support the firewall system is commonly known
> as 'Netfilter'.
> 
> These modules run under the networking sub-system in the kernel, so it
> doesn't need to spawn a kernel process. Kernel processes are the
> programs with [ ] around them when running ps.
> 
> I think you can have non-kernel processes with the [], but I don't know
> when that is the case.
> 
> -----Original Message-----
> From: Eric Marchionni [mailto:mailing-lists@gmx.ch] 
> Sent: Monday, October 20, 2003 4:37 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: a sort of n00b question here but I'ld like to know.
> 
> SBlaze wrote:
> 
> >As I said this is probably a n00bish question but i'm curious. Since
> iptables
> >is hooked into the kernel; would it show up as usage in the top or
> uptime statistics?
> >
> i'd like to know that as well ;-D
> 
> cheers,
> eric
> 
> 
> 
> 
> 


=====
In the absence of order there will be chaos.

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Re: a sort of n00b question here but I'ld like to know.

[Simon Garner]

On Tuesday, October 21, 2003 1:41 PM [GMT+1200=NZT],
SBlaze <dagent.geo@yahoo.com> wrote:

> That's really nice information. Thanks for sharing it with me.
> However, this still leaves the question I asked yet to be answered.
> Since it's not an "official" process(I knew that already)does it show
> up in the CPU usage statistics?
>
> ie
>
> root@nixn00b:~# uptime
>  20:32:26 up 11 days, 19:56,  4 users,  load average: 0.00, 0.00, 0.00
>

Have a look at the "system" CPU usage visible with 'top'. This should
show you how much CPU is being used by the kernel itself (which would
include netfilter). You can also see this with 'vmstat'.

I'm not sure if the load average would reflect this... load average is
supposedly a measure of how many processes were waiting in the run queue
over the last 1, 5 and 15 minutes. Whether "processes" includes the
kernel itself, I don't know (I'm inclined to think yes, though).

-Simon

Re: a sort of n00b question here but I'ld like to know.

[SBlaze]

--- Simon Garner <sgarner@expio.co.nz> wrote:
> On Tuesday, October 21, 2003 1:41 PM [GMT+1200=NZT],
> SBlaze <dagent.geo@yahoo.com> wrote:
> 
> > That's really nice information. Thanks for sharing it with me.
> > However, this still leaves the question I asked yet to be answered.
> > Since it's not an "official" process(I knew that already)does it show
> > up in the CPU usage statistics?
> >
> > ie
> >
> > root@nixn00b:~# uptime
> >  20:32:26 up 11 days, 19:56,  4 users,  load average: 0.00, 0.00, 0.00
> >
> 
> Have a look at the "system" CPU usage visible with 'top'. This should
> show you how much CPU is being used by the kernel itself (which would
> include netfilter). You can also see this with 'vmstat'.
> 
> I'm not sure if the load average would reflect this... load average is
> supposedly a measure of how many processes were waiting in the run queue
> over the last 1, 5 and 15 minutes. Whether "processes" includes the
> kernel itself, I don't know (I'm inclined to think yes, though).
> 
> -Simon
> 
Ok I did that(with top) My CPU usage for both procs is relativly low. They both
tend to idle with other visable processes at 96-100% idle.

root@nixn00b:~# vmstat
procs -----------memory---------- ---swap-- -----io---- --system-- ----cpu----
 r  b   swpd   free   buff  cache   si   so    bi    bo   in    cs us sy id wa
 0  0  27464   5848  22848  44388    0    0     1     2   11     8  0  1 99  0

this looks pretty greek to me...but I was able to make some sence out of it
with  the man page..but still looks fairly normal...

So I guess this still pretty much remains a mystery?

Anyone out there got a clue on this????

=====
In the absence of order there will be chaos.

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Re: a sort of n00b question here but I'ld like to know.

[Simon Garner]

On Tuesday, October 21, 2003 2:24 PM [GMT+1200=NZT],
SBlaze <dagent.geo@yahoo.com> wrote:

> Ok I did that(with top) My CPU usage for both procs is relativly low.
> They both tend to idle with other visable processes at 96-100% idle.
>
> root@nixn00b:~# vmstat
> procs -----------memory---------- ---swap-- -----io---- --system--
>  ----cpu---- r  b   swpd   free   buff  cache   si   so    bi    bo
>  in    cs us sy id wa 0  0  27464   5848  22848  44388    0    0
> 1     2   11     8  0  1 99  0
>

Looks fine... sounds to me like this is a red herring, are you sure your
problem is not just with your connection itself? You said:


> The reason I ask is that I have what I think is an unusual amount of
> inbound unsolicited udp traffic(which is dropped by
> iptables/netfilter).
>

Inbound unsolicited traffic will be dropped with or without iptables -
you don't need a firewall to stop that as it won't have anywhere to go
anyway. And you'd have to have a serious amount of traffic to choke the
CPU like that. But, that traffic could be using up your bandwidth of
course... If that's a possibility, you need to find out more about where
the traffic is coming from and where it's going to and why you're
receiving it.

-Simon

Re: a sort of n00b question here but I'ld like to know.

[SBlaze]

--- Simon Garner <sgarner@expio.co.nz> wrote:
> On Tuesday, October 21, 2003 2:24 PM [GMT+1200=NZT],
> SBlaze <dagent.geo@yahoo.com> wrote:
> 
> > Ok I did that(with top) My CPU usage for both procs is relativly low.
> > They both tend to idle with other visable processes at 96-100% idle.
> >
> > root@nixn00b:~# vmstat
> > procs -----------memory---------- ---swap-- -----io---- --system--
> >  ----cpu---- r  b   swpd   free   buff  cache   si   so    bi    bo
> >  in    cs us sy id wa 0  0  27464   5848  22848  44388    0    0
> > 1     2   11     8  0  1 99  0
> >
> 
> Looks fine... sounds to me like this is a red herring, are you sure your
> problem is not just with your connection itself? You said:
> 
> 
> > The reason I ask is that I have what I think is an unusual amount of
> > inbound unsolicited udp traffic(which is dropped by
> > iptables/netfilter).
> >
> 
> Inbound unsolicited traffic will be dropped with or without iptables -
> you don't need a firewall to stop that as it won't have anywhere to go
> anyway. And you'd have to have a serious amount of traffic to choke the
> CPU like that. But, that traffic could be using up your bandwidth of
> course... If that's a possibility, you need to find out more about where
> the traffic is coming from and where it's going to and why you're
> receiving it.
> 
> -Simon
> 

It would appear that most of the data that comes to me is udp and by
unsolicited I mean that in stateful inspections they are NEW or INVALID
connections. 98% of them are from my own IP range and are targeted at me or my
ISP's broadcast address for my range. Alot of them are "valid" in that they are
basically Windows RPC scans/virii and the like.

About the CPUT... thats what I'm wondering really. Is all this traffic silently
choking my system. If it is I need to know.. if its not..then we know its
probably just an OOB deal.

You be the judge. I start my firewall when the box boots up. Pay special
attention to the UDP rule. Note that in the 11 day up time we have 16 Million
droppped UDP NEW/Invalid packets. Is this enough to choke down a Dual Pentium
Pro 200mhz box?

root@nixn00b:/proc/net# uptime ; iptables -vnL
 21:56:57 up 11 days, 21:21,  4 users,  load average: 0.00, 0.00, 0.00
Chain INPUT (policy ACCEPT 1008K packets, 736M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       68.119.x.x          0.0.0.0/0
    0     0 DROP       all  --  *      *       68.119.x.x       0.0.0.0/0
    0     0 DROP       all  --  *      *       68.119.x.x         0.0.0.0/0
85058 5514K ACCEPT     all  --  eth0   *       68.1.x.x         0.0.0.0/0
 4676  432K ACCEPT     all  --  eth0   *       68.63.x.x        0.0.0.0/0
 9656  639K ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0  
       tcp dpt:80
 309K   20M ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0  
       udp dpt:27015 state NEW,RELATED,ESTABLISHED
 3262  191K DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0  
       state INVALID,NEW
 288K  427M ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0  
       state RELATED,ESTABLISHED
  16M 1945M DROP       udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0  
       state INVALID,NEW
 6815 1166K ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0  
       state RELATED,ESTABLISHED
 2767  249K DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0  
       state INVALID,NEW
  339 24646 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0  
       state RELATED,ESTABLISHED


=====
In the absence of order there will be chaos.

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Re: a sort of n00b question here but I'ld like to know.

[Simon Garner]

On Tuesday, October 21, 2003 3:03 PM [GMT+1200=NZT],
SBlaze <dagent.geo@yahoo.com> wrote:

> It would appear that most of the data that comes to me is udp and by
> unsolicited I mean that in stateful inspections they are NEW or
> INVALID connections. 98% of them are from my own IP range and are
> targeted at me or my ISP's broadcast address for my range. Alot of
> them are "valid" in that they are basically Windows RPC scans/virii
> and the like.
>

By 'your own IP range' I presume you mean your ISP's other customers?


> About the CPUT... thats what I'm wondering really. Is all this
> traffic silently choking my system. If it is I need to know.. if its
> not..then we know its probably just an OOB deal.
>
> You be the judge. I start my firewall when the box boots up. Pay
> special attention to the UDP rule. Note that in the 11 day up time we
> have 16 Million droppped UDP NEW/Invalid packets. Is this enough to
> choke down a Dual Pentium Pro 200mhz box?
>

That is a LOT of useless packets, but it shouldn't be anywhere near
enough to cause any problems for the machine, even a machine that old.

1945M of data over 12 days works out to about 2 kilobytes/second. I'm
sure your firewall regularly handles a lot more data than that. However,
depending on your connection speed this may be enough to cause latency
problems in interactive applications like games.

It's a difficult one because you're already blocking the data - but by
the time the data hits your firewall, it's too late, the bandwidth has
already been consumed. If you do think this is the cause of the problem,
you might need to talk to your ISP to see if they can filter it at their
end, unless anybody else has any ideas...

-Simon

Re: a sort of n00b question here but I'ld like to know.

[SBlaze]

--- Simon Garner <sgarner@expio.co.nz> wrote:
> On Tuesday, October 21, 2003 3:03 PM [GMT+1200=NZT],
> SBlaze <dagent.geo@yahoo.com> wrote:
> 
> > It would appear that most of the data that comes to me is udp and by
> > unsolicited I mean that in stateful inspections they are NEW or
> > INVALID connections. 98% of them are from my own IP range and are
> > targeted at me or my ISP's broadcast address for my range. Alot of
> > them are "valid" in that they are basically Windows RPC scans/virii
> > and the like.
> >
> 
> By 'your own IP range' I presume you mean your ISP's other customers?
> 
> 
Correct I wasn't to clear on that but yes. I am a Charter Communications
customer and by "my range" I really mean the local net they have me on as
opposed to my LAN range heh.

> > About the CPUT... thats what I'm wondering really. Is all this
> > traffic silently choking my system. If it is I need to know.. if its
> > not..then we know its probably just an OOB deal.
> >
> > You be the judge. I start my firewall when the box boots up. Pay
> > special attention to the UDP rule. Note that in the 11 day up time we
> > have 16 Million droppped UDP NEW/Invalid packets. Is this enough to
> > choke down a Dual Pentium Pro 200mhz box?
> >
> 
> That is a LOT of useless packets, but it shouldn't be anywhere near
> enough to cause any problems for the machine, even a machine that old.
> 
> 1945M of data over 12 days works out to about 2 kilobytes/second. I'm
> sure your firewall regularly handles a lot more data than that. However,
> depending on your connection speed this may be enough to cause latency
> problems in interactive applications like games.
> 
Charter says my speed is 2048/128. Howerver, it fluxes so bad that its really
hard to so. Most of the time I can stay above the 1Mb area...but others I
don't(of course this could be just the speed test servers I have been using
some of the time.)

> It's a difficult one because you're already blocking the data - but by
> the time the data hits your firewall, it's too late, the bandwidth has
> already been consumed. If you do think this is the cause of the problem,
> you might need to talk to your ISP to see if they can filter it at their
> end, unless anybody else has any ideas...
> 
> -Simon
> 
Correct you are! I have contacted Charter. I have even sent them snippets of
when I turn Logging on for those new/invalid UDP packets and shown them the
offenders ips. I emailed them to abuse@charter.net per thier policy. I didn't
get any reply other than an automated one and if anything the traffic has
gotton worse.

I was considering using ntop to gather more detailed information so I posted to
a site where I know some Charter techs and people who use Charter are. If your
curiosity gets the better of you please check it out. The following link should
take you to the thread. Whats really interesting is that I have brought up what
you mentioned about having the ISP actually FILTER for me. If you read.. note
the reaction from the people who post up. It's sad. :{{

http://www.dslreports.com/forum/remark,8236731~root=charter~mode=flat

SBlaze




=====
In the absence of order there will be chaos.

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Re: a sort of n00b question here but I'ld like to know.

[Alistair Tonner]

On October 20, 2003 10:49 pm, SBlaze wrote:
> --- Simon Garner <sgarner@expio.co.nz> wrote:
<SNIP>
> > >
> > > You be the judge. I start my firewall when the box boots up. Pay
> > > special attention to the UDP rule. Note that in the 11 day up time we
> > > have 16 Million droppped UDP NEW/Invalid packets. Is this enough to
> > > choke down a Dual Pentium Pro 200mhz box?
> traffic has gotton worse.
>
No. Period
I have a dual pp 100 with only 48Mb ram ..and it handles far more than this... 
Admittedly on PCI nics ... not ISA


<MORE SNIPPAGE>
> I was considering using ntop to gather more detailed information so I
> posted to a site where I know some Charter techs and people who use Charter
> are. If your curiosity gets the better of you please check it out. The
> following link should take you to the thread. Whats really interesting is
> that I have brought up what you mentioned about having the ISP actually
> FILTER for me. If you read.. note the reaction from the people who post up.
> It's sad. :{{
>
> http://www.dslreports.com/forum/remark,8236731~root=charter~mode=flat
>
> SBlaze
>
>

	I agree the response is indeed sad, but I believe that's typical for that 
sort of forum.  Watching the traffic coming in to your router and charting it 
is NOT any sort of violation of any *rational* AUP.  Going farther than that 
might well be.  The average user of cable internet access has little idea of 
what goes on beyond the screen.  I've noted that DSL reports has a few decent 
posters and occaisionaly has good advise, but frequently is populated by 
*twinks*.   Considering that you are supposed to be 2Mbs down... I'd doubt 
that the garbage is that substantial an issue.  I've takn to REJECT with tcp 
reset for anything targetting the windows filesharing ports off my segment.  
It seems to slow the constant scans, but may be bad policy.  I do know that 
the ISP i'm with has a 'no filtering ' policy, and thats one reason I'm with 
them.  But there are days (immediately after a new worm comes out like?) when 
I wish......

   In your case its possible that traffic from other folks on your segment is 
causing the slow connection.  However keep in mind that you get decent TCP 
ping times and poor pings in the game.  Perhaps the problem exists with the 
*game* servers being slow to respoind to udp traffic due to their load.


>
>
> =====
> In the absence of order there will be chaos.
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com

-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!

Re: a sort of n00b question here but I'ld like to know.

[SBlaze]

> 
> 	I agree the response is indeed sad, but I believe that's typical for that 
> sort of forum.  Watching the traffic coming in to your router and charting it
> 
> is NOT any sort of violation of any *rational* AUP.  Going farther than that 
> might well be.  The average user of cable internet access has little idea of 
> what goes on beyond the screen.  I've noted that DSL reports has a few decent
> 
> posters and occaisionaly has good advise, but frequently is populated by 
> *twinks*.   Considering that you are supposed to be 2Mbs down... I'd doubt 
> that the garbage is that substantial an issue.  I've takn to REJECT with tcp 
> reset for anything targetting the windows filesharing ports off my segment.  
> It seems to slow the constant scans, but may be bad policy.  I do know that 
> the ISP i'm with has a 'no filtering ' policy, and thats one reason I'm with 
> them.  But there are days (immediately after a new worm comes out like?) when
> 
> I wish......
> 
>    In your case its possible that traffic from other folks on your segment is
> 
> causing the slow connection.  However keep in mind that you get decent TCP 
> ping times and poor pings in the game.  Perhaps the problem exists with the 
> *game* servers being slow to respoind to udp traffic due to their load.
> 
> 
> >
> >
> > =====
> > In the absence of order there will be chaos.
> >
> > __________________________________
> > Do you Yahoo!?
> > The New Yahoo! Shopping - with improved product search
> > http://shopping.yahoo.com
> 
> -- 
> 
> 	Alistair Tonner
> 	nerdnet.ca
> 	Senior Systems Analyst - RSS
> 	
>      Any sufficiently advanced technology will have the appearance of magic.
> 	Lets get magical!
> 


This is the section that I am wondering about in Charter's AUP.

7. NO “HACKING"

Customer will not use, nor allow others to use, the Service to access the
accounts of others or to attempt to penetrate security measures of the Service
or other computer systems (“hacking”) or to cause a disruption of the Service
to other on-line users. Customer will not use, nor allow others to use, tools
designed for compromising network security, such as password-guessing programs,
cracking tools, packet sniffers or network probing tools.

Wouldn't ntop be considered a "probing" tool?

And getting back to my original reason and question for this post. How
statistically can you see just how much iptables/netfilter is using of system
resources?

Thanks Everyone
SBlaze


=====
In the absence of order there will be chaos.

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Re: a sort of n00b question here but I'ld like to know.

[Simon Garner]

On Wednesday, October 22, 2003 7:11 AM [GMT+1200=NZT],
SBlaze <dagent.geo@yahoo.com> wrote:

>
> Wouldn't ntop be considered a "probing" tool?
>

I wouldn't consider it a probing tool... something like nmap would be
probing, ntop just listens. And although it puts your eth into
promiscuous mode, I wouldn't call it a packet sniffer since it won't
tell you the contents of any packets, only where they're going and how
big they are etc. I don't think you have anything to worry about.

Now I have no experience with cable or cable modems (they're practically
non-existent over here) but wouldn't running this on your linux box only
show you whatever data your cable modem is sending to you anyway...
you'd need to put the *cable modem* into promiscuous mode (or
equivalent) to actually receive any data you shouldn't.

>
> And getting back to my original reason and question for this post. How
> statistically can you see just how much iptables/netfilter is using
> of system resources?
>

I think we're agreed that the level of data you're seeing wouldn't cause
any problems CPU-wise. You can see kernel CPU usage as "system CPU%" in
top and vmstat and they're saying 0, which would be expected.

-Simon

Re: a sort of n00b question here but I'ld like to know.

[SBlaze]

--- Simon Garner <sgarner@expio.co.nz> wrote:
> On Wednesday, October 22, 2003 7:11 AM [GMT+1200=NZT],
> SBlaze <dagent.geo@yahoo.com> wrote:
> 
> >
> > Wouldn't ntop be considered a "probing" tool?
> >
> 
> I wouldn't consider it a probing tool... something like nmap would be
> probing, ntop just listens. And although it puts your eth into
> promiscuous mode, I wouldn't call it a packet sniffer since it won't
> tell you the contents of any packets, only where they're going and how
> big they are etc. I don't think you have anything to worry about.
> 
> Now I have no experience with cable or cable modems (they're practically
> non-existent over here) but wouldn't running this on your linux box only
> show you whatever data your cable modem is sending to you anyway...
> you'd need to put the *cable modem* into promiscuous mode (or
> equivalent) to actually receive any data you shouldn't.
> 
> >
> > And getting back to my original reason and question for this post. How
> > statistically can you see just how much iptables/netfilter is using
> > of system resources?
> >
> 
> I think we're agreed that the level of data you're seeing wouldn't cause
> any problems CPU-wise. You can see kernel CPU usage as "system CPU%" in
> top and vmstat and they're saying 0, which would be expected.
> 
> -Simon
> 
> 

Ok guys well I think that just about wraps this thread up. Special thanks go
out to Jeffery, Simon, and Daniel for all thier help. Really THANKS ALOT
GUYS!!!




=====
In the absence of order there will be chaos.

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Re: a sort of n00b question here but I'ld like to know.

[Alistair Tonner]

On October 21, 2003 02:11 pm, SBlaze wrote:
> > 	I agree the response is indeed sad, but I believe that's typical for
> > that sort of forum.  Watching the traffic coming in to your router and
> > charting it
> >
> > is NOT any sort of violation of any *rational* AUP.  Going farther than
> > that might well be.  The average user of cable internet access has little
> > idea of what goes on beyond the screen.  I've noted that DSL reports has
> > a few decent

 <SNIPPAGE>

> >
>
> This is the section that I am wondering about in Charter's AUP.
>
> 7. NO “HACKING"
>
> Customer will not use, nor allow others to use, the Service to access the
> accounts of others or to attempt to penetrate security measures of the
> Service or other computer systems (“hacking”) or to cause a disruption of
> the Service to other on-line users. Customer will not use, nor allow others
> to use, tools designed for compromising network security, such as
> password-guessing programs, cracking tools, packet sniffers or network
> probing tools.
>
> Wouldn't ntop be considered a "probing" tool?

	Welll ... it does incorporate a packet sniffer.  At that level, 
	I can see how you feel that you might be violating AUP 
	firing it up pointed at your outside connection.  However, 
	despite not being a lawyer, I can point out that the intent of the
	section is defined clearly:
		
		No Hacking.  
	
	Soooo .... no coding on that there system now, no debugging allowed, 
	no analysis of bleeding edge source code AT ALL darnit!!!

	(sorry old bone of mine) 

		Intent here is fairly legally clear.  Don't go looking for a way to violate 
the integrity of the network or the security of any systems attached to the 
network.  Analize your bandwidth, but don't retain info that could detail a 
method of accessing any other system on the network.  I know that it seems a 
fine line, but I believe that if you are doing this in the spirit of 
analizing the network traffic to see if YOUR system is a problem, you are 
unlilkely to have major issues.   The individual supposedly from your ISP 
that replied (in that other forum) is clearly far from a network security 
analyst.  I doubt they understand the functionality of a tool like ntop.
	
  I know from past experience in my own co (cough) that we do indeed lock down 
IP's that are operating in promiscuous mode, and also IP's that are clearly 
and documentably infected with DDOS tools.  However, we do NOT automatically 
terminate the account based on this behaviour.  Frequently the issue is that 
the system has been compromised remotely, and the sub is actually as much a 
victim as a culprit.  Unfortunately this is a two edged sword, in which some 
(cough) people get away with murder.


>
> And getting back to my original reason and question for this post. How
> statistically can you see just how much iptables/netfilter is using of
> system resources?

	Got me on that ... I know that with only minimal processing on the firewall 
and three winders boxen downstream hammering the net connection, my linux box 
is using  0.7% system  consistently (AMD Athlon 1500 756mbRam and kernel 
2.4.22 iptables 1.2.7a, pom from January) 

	With my desktop up and running (kde 3.1.2 ) with xmms and konqueror and 
	other such things running, and my other half playing Sims online and me
	pulling Xfree86 current CVS right now I'm seeing Umm 2.6% system load.
	(most likely the sound drivers) -- plus something seems to be searching my 	
	website........hmm -- not google.

	(yes ... thats a bad habit... but my desktop is the net connection for the 
household... I'm working on that)

	On a dual pp 48Mb ram in a colo handling ~~1Gb/day data the system hasn't 
broken 0.8% in over two months. (2.4.19, iptables 1.2.7a, no pom, no extras, 
boots and runs from cd, logs remotely)

	*shrug* ... last time someone decided to ddos my network neighbour in the 
colo, I saw some serious load *grin* ..the system usage actually hit 5%, but 
I suspect that was the logger more than anything else .. .since I was 
dropping and logging packets like crazy at the time.



	I'm still inclined to say that if you are concerned about the difference 
between TCP pings to game servers and the so called ping time in game 
that the issue lies with the game server.  I doubt from what you've posted so 
far that the local outside network or iptables is causing your problems.

>
> Thanks Everyone
> SBlaze
>
>
> =====
> In the absence of order there will be chaos.
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com

-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!

Re: a sort of n00b question here but I'ld like to know.

[Jeffrey Laramie]

[-- Attachment #1: Type: text/html, Size: 2411 bytes --]

Re: a sort of n00b question here but I'ld like to know.

[SBlaze]

Some quick math show that roughly 80% of your total traffic is trappedby that
rule. Ouch! Also, do you really want your default policy to beaccept? It looks
like you had 736 Mbytes go to some other (unknown?)destination on your firewall
box.

Jeff 

You know I had never noticed that. I rely on my rule  and statematching to DROP
connecctions I do not want. It may be possible that some of the protocols I
have not accounted for are coming through?

What do you thaink guys? And thanks Jeff for pointing that out!

SBlaze.

=====
In the absence of order there will be chaos.

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

a sort of n00b question here but I'ld like to know.

[SBlaze]

As I said this is probably a n00bish question but i'm curious. Since iptables
is hooked into the kernel; would it show up as usage in the top or uptime statistics?

=====
In the absence of order there will be chaos.

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com