Fwd: Re: IP Tables slows network response times

Eric Leblond eric at inl.fr
Mon Aug 15 13:59:17 CEST 2005


On Mon, 2005-08-15 at 23:32 +1200, Michael Hallager wrote:
> AS FOLLOWS: (Opps. my mistake!)
> 
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -d 202.150.101.225 -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -d 202.150.101.225 -p tcp -m layer7 --l7proto smtp -m tcp --dport 25 
> -j ACCEPT

l7filtering is completly useless here. In fact l7 is able to detect a
protocol after a few packets so your 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
take precedence over l7 rules.
Furthermore (I may be mistaking) match is often done on reply thus
filtering on OUTPUT is necessary.
One other point is : why do you need to check the protocol running on
your own computer ?

BR,
-- 
Eric Leblond <eric at inl.fr>
INL
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : /pipermail/netfilter/attachments/20050815/f6e8cc1b/attachment.bin


More information about the netfilter mailing list