Response time of Iptables
dave-mlist@bfnet.com
dave-mlist@bfnet.com
20 Oct 1999 10:52:02 -0700
Using Iptables, it is possible to design an active firewall which
changes the filtering rules based on matched patterns. My question is
about response time.
Let's say that IP packet A and IP packet B, both packets matching some
pattern for "evil" activity, arrive in on consecutive ethernet frames:
+----+------------+ +----+------------+
|etha|IP packet A | |ethb|IP packet B |
+----+------------+ +----+------------+
time:...t0..................t1.....................->
Assume that both packets come from the same IP address, and packet A
matches a pattern for some evil activity. Assume that our logic
matches packet A and recognizes the evil activity with negligible
computing time.
** Is it possible to change the Iptables rules fast enough to deny IP
packet B access?
Now, assume that the pattern matching for packet A takes a
non-negligible computing time. For example, in the time it takes to
match packet A, ten more packets from the same source have been
received. Given this condition:
** Is it still possible to change the Iptables rules before any more
packets from the same soure are accepted?
I believe these questions will determine Iptable's appropriateness for
implementing active firewalls.
David Wuertele