opie at 817west.com
Sun Feb 6 20:15:47 CET 2005
On Sun, 2005-02-06 at 02:20, Ramoni wrote:
> What do you all think about make rules for new connections only ?
> Make all rules for new connections (--syn) and let the -m state --state
> ESTABLISHED care about connectuions you have allowed ?
that's exactly how i build every firewall.
> I' ll aplly a poatch on my firewall to support the raw table, to use the
> NOTRACK targe for cionnections that I does not need to track (and ensure a
> connection response) for example:
> A connection from outside to my webserver, will always come from random port
> to port 80 of my server, and the response will be from port80 to any port
> Whats the really need to track this ? I can make rules allowing these and just
> make connectinio tracking for connections from inside to outside that I wont
> make rules expecting the response.
um--the point of bypassing connection tracking with the use of NOTRACK
is that the overhead of connection tracking adds unacceptable latency to
the connection. i have seen this used (and used it myself) for
high-load DNS servers. since almost every DNS resolution request is one
packet request, one packet response; there is a noticeable delay between
using connection tracking over NOTRACK. i suppose the same argument
could be made for a very high traffic web server that gets lots of
short-lived requests for tiny amounts of data.
"I am so smart, I am so smart, s-m-r-t....I mean s-m-A-r-t."
More information about the netfilter