Al Boldi wrote:
[email protected] wrote:
On Sat, 20 Oct 2007 06:40:02 +0300, Al Boldi said:
Sure, the idea was to mark the filter table obsolete as to make people
start using the mangle table to do their filtering for new setups. The
filter table would then still be available for legacy/special setups.
But this would only be possible if we at least ported the REJECT target
to mangle.
That's *half* the battle. The other half is explaining why I should move
from a perfectly functional setup that uses the filter table. What gains
do I get from doing so? What isn't working that I don't know about? etc?
In other words - why do I want to move from filter to mangle?
This has already been explained in this thread; here it is again:
Al Boldi wrote:
The problem is that people think they are safe with the filter table,
when in fact they need the prerouting chain to seal things. Right now
this is only possible in the mangle table.
Why do they need PREROUTING?
Well, for example to stop any transient packets being forwarded. You could
probably hack around this using mark's, but you can't stop the implied
route lookup, unless you stop it in prerouting.
Basically, you have one big unintended gaping whole in your firewall, that
could easily be exploited for DoS attacks at the least, unless you put in
specific rules to limit this.
Well... true enough on a small firewall machine with a really fast link,
maybe. I like your point about efficiency better, it's more logical,
like putting an ACCEPT of established connections before a lot of low
probability rules. The only time I have seen rules actually bog a
machine was when a major ISP sent out a customer "upgrade" with a bug
which caused certain connections to be SYN-SYN/ACK-RST leaving half open
sockets. They sent out 160k of them and the blocking list became very
long as blocking rules were added.
Plus, it's outrageously incorrect to accept invalid packets, just because
your filtering infrastructure can only reject packets after they have been
prerouted.
As long as the filter table doesn't go away, sometimes things change
after PREROUTING, like NAT, and additional rules must be used.
--
Bill Davidsen <[email protected]>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]