From mboxrd@z Thu Jan 1 00:00:00 1970 From: Grant Taylor Date: Wed, 17 Aug 2005 06:12:45 +0000 Subject: Re: [LARTC] Hardware Configuration Ideas Message-Id: <4302D55D.8090008@riverviewtech.net> List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org > Yes. In fact most cases of "advanced" firewalling only mean that you have a > stupid fw-design, like hundreds/thousands of rules in one chain :-). Usually can > be optimised by using sub-chains, ipset and/or ipt_ACCOUNT. If someone has hundreds of rules in one chain (with out a _*VERY*_ good reason and even then) they need to be shot on the spot. For performance reasons such a chain should be broken out in to a tree of chains an subchains that are jumped to in an attempt to minimize the number of rules that have to be traversed to get a match on any given packet. What I was referring to by advanced firewalling was such things as running things like "-p udp -s 0.0.0.0/32 -d 255.255.255.255/32 --sport 68 --dport 67 -m addrtype --src-type broadcast -m pkttype --pkt-type broadcast" for DHCP requests. or complex SSH Brute Force prevention chains / rules, or recent lists to control what types of traffic will be valid based on what you have sent or is not valid b/c you have not sent any thing, or should packets with the reset flag have the ack flat set or not, etc. Grant. . . . _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc