[LARTC] ACCEPT/DROP/REJECT in mangle?

[LARTC] ACCEPT/DROP/REJECT in mangle?

[Erik S. Johansen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm planning on a redo of a small company setup, using a linux-box on 2.4.2x
kernel as router/natbox/firewall.

We have a rather complex shaping/policing setup, currently using multiple
imq's, htb, sfq and a few thousand lines of scripts. In addition I have
varying classes of rules regarding outbound traffic depending on the internal
origin of the traffic, and a few thousand lines of permit/deny rules.

Now, in order to e.g. permit use of outbound ssh to a specific net, and also
ensure that ssh have a higher priority than e.g. web traffic, I have to
triplicate a rule classifying a stream as ssh; NEW outbound permit, ingress
MARK for htb on an IMQ dev, egress MARK for htb. I'd like to reduce the
number of rules per stream, both for maintenance and performace purposes.

So,

1a) Is it possible/recommended to ACCEPT/DROP/REJECT in mangle FORWARD?
1b) Is it possible/recommended to MARK in filter FORWARD?
2) Can i safely put SFQ on a HTB leaf?
3) It appears that only packets that are not conntracked traverse the nat
table, is this correct?
4) Does mangle OUTPUT happen before or after routing?
5) When exactly in the packet traversal do egress shaping happen? After mangle
POSTROUTING? After nat POSTROUTING?
6) Recommendations on handling the massive number of connections created by
P2P? When P2P classes need to stop borrowing from higher priority classes,
the sheer number of connections appear to create some latency.


Thanks,


- --Erik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFATzGjds9m9uhAobARAtfJAKDG2WCKH0YdzFTrZ8/6tuq8pHj4UwCfVdo+
FpUxeg2h1sahuPoNwOMu/go=xSuH
-----END PGP SIGNATURE-----
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] ACCEPT/DROP/REJECT in mangle?

[Patrick Turley]

> 1a) Is it possible/recommended to ACCEPT/DROP/REJECT in mangle FORWARD?

Yes, it's possible. It's generally regarded as good firewall hygiene to 
only "transform" packets in the mangle table and make ACCEPT/DROP/REJECT 
decisions in the filter table - but there are definitely exceptions.

> 1b) Is it possible/recommended to MARK in filter FORWARD?

No. MARK is only valid in the mangle table.

> 2) Can i safely put SFQ on a HTB leaf?

Yes.

> 3) It appears that only packets that are not conntracked traverse the nat
> table, is this correct?

Yes, that's true. Once NAT'ing has been associated with a particular 
connection, further packets associated with that connection will 
automatically undergo the same transformation.

> 4) Does mangle OUTPUT happen before or after routing?

The best illustration for this on the entire net is the KPTD figure on 
www.docum.org. From this picture, you can see that this happens *before* 
routing.

> 5) When exactly in the packet traversal do egress shaping happen? After 
> mangle
> POSTROUTING? After nat POSTROUTING?

See the same figure. Traffic control occurrs before and after firewall 
traversal.

> 6) Recommendations on handling the massive number of connections created by
> P2P? When P2P classes need to stop borrowing from higher priority classes,
> the sheer number of connections appear to create some latency.

I don't have a ready answer for this.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/