Firewall Wizards mailing list archives
Re: Linux Bridge/Firewall
From: Christopher Hicks <chicks () chicks net>
Date: Sat, 29 Nov 2003 11:05:19 -0500 (EST)
On Wed, 26 Nov 2003, Chris Ditri wrote:
Normally, I split up the packets into 3 chains, one for udp, one for tcp, etc. etc. This is supposed to decrease the overhead by not running everything though one chain. It minimizes processing. Should something like this be implemented on my bridge/firewall? (logically splitting traffic into chains).
You say "chains", but I'm assuming you're using iptables. If you're using actually using ipchains (ehh...), the answer below for INPUT and OUTPUT is woefully incomplete. Most likely most of your packets are going to be TCP so the performance benefit of this is minimal. Breaking up your chains into logical trees reduces the amount of processing done. I like having between about two and six rules in each chain. Having all the "real processing" done in a chain all its own opens up all sorts of possibilities. My Linux firewall that sits in front of my kids Internet connection had scheduled jobs to stop their masq'd and/or squid'd access to various times of day. Since the iptables commands just remove one at a time I could add an extra "block this kids MASQ acess" rule into the FORWARD chain and the cron job could keep going adding and removing its extra block this kid rule.
Should I try to set my INPUT and OUTPUT to DROP, and make exceptions?
Unless you're running some proxy there's no need for the whole world to be able to get into your box. So INPUT should be only what you want to let in for box management. If you want to do only console management then INPUT could be DROP only. Setting OUTPUT to DROP would prevent trojans from using that box to impregnate other boxes, but it would mean that you couldn't make ssh connection from the bridge and DNS lookups wouldn't work. Updates would need to be sneakernetted to the box too. That seems a bit harsh to me, but I'm lazy.
Or is it safe to leave it alone?
OUTPUT is safe to leave alone, INPUT should be tight.
Should I bag the whole thing and use ebtables (something I am completely unfamiliar with). I personally don't see why I would want to do this... I don't know if I have a need to block and allow based upon mac address...
What you're doing sounds to be going in the right direction. Unless you're trying to be ultraparanoid MAC filtering isn't worth the trouble. -- </chris> No, no, you're not thinking, you're just being logical. -Niels Bohr, physicist (1885-1962) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Linux Bridge/Firewall Chris Ditri (Nov 29)
- Re: Linux Bridge/Firewall Christopher Hicks (Nov 29)