From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@lists.netfilter.org>
Subject: Re: Filtering in PREROUTING
Date: Thu, 18 Jan 2007 08:25:07 -0600 [thread overview]
Message-ID: <45AF8343.7000006@riverviewtech.net> (raw)
In-Reply-To: <1169069905.10134.18.camel@len.t-t-l.co.uk>
george wrote:
> I've seen a few places telling me that you shouldn't filter in the
> mangle table. However, it seems sensible to me to drop junk packets in
> PREROUTING rather than have to duplicate those rules in both INPUT and
> FORWARD.
Rather than taking an absolutely closed minded approach and trying to
convince you that I disagree and why, I'll ask this:
Are your (any one posting to this thread) statements based on things you
your self have experienced, or been told, or seen others experience, or
are they based on theory by the fact that you could improve efficiency
by filtering in the very first possible place?
What sort of system(s) are you using for your firewalls / routers?
What sort of bandwidth are they filtering?
How many rules are in your rule set(s)?
I ask, because I'd like to hear constructive discussion on both sides of
the fence.
I personally have always done my filtering in the filter table. I can
also say that I have never had a system even come close to weakening
under load. Granted most of my firewalls / routers are 233 MHz - 1 GHz
systems (what ever is laying around) with at least a quarter gig of
memory. I'm also only filtering / firewalling for SOHO (DSL / Cable) or
possibly a 10 / 100 network between subnets. I have had one system that
was filtering a full bleat 100 BaseT network and it never showed any
signs of failure or even slow down.
That being said, I could see why you might want to filter in
mangle:PREROUTING on a 486 with 16 MB RAM.
Thoughts / opinions / comments / critiques are welcomed and encouraged.
Grant. . . .
next prev parent reply other threads:[~2007-01-18 14:25 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-17 21:38 Filtering in PREROUTING george
2007-01-17 22:17 ` Jorge Davila
2007-01-18 2:01 ` Grant Taylor
2007-01-18 8:42 ` Alexandru Dragoi
2007-01-19 17:34 ` R. DuFresne
2007-01-18 8:46 ` george
2007-01-19 17:25 ` R. DuFresne
2007-01-18 4:44 ` p0f patch Tim Heagarty
2007-01-19 19:23 ` Tim Heagarty
2007-01-20 2:23 ` Michael Rash
2007-01-18 10:52 ` Filtering in PREROUTING Georgi Alexandrov
2007-01-19 10:19 ` george
2007-01-19 11:32 ` Pascal Hambourg
2007-01-18 14:25 ` Grant Taylor [this message]
2007-01-19 13:17 ` george
2007-01-18 14:57 ` Filtering in PREROUTING --- Some random thoughts / points Grant Taylor
2007-01-19 17:54 ` R. DuFresne
2007-01-18 19:19 ` Filtering in PREROUTING Pascal Hambourg
2007-01-19 13:17 ` george
2007-01-19 15:51 ` Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45AF8343.7000006@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=gtaylor+reply@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.