Re: [RFD] iptables: mangle table obsoletes filter table

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Al Boldi wrote:
[email protected] wrote:
On Sat, 20 Oct 2007 06:40:02 +0300, Al Boldi said:
Sure, the idea was to mark the filter table obsolete as to make people
start using the mangle table to do their filtering for new setups.  The
filter table would then still be available for legacy/special setups. But this would only be possible if we at least ported the REJECT target
to mangle.
That's *half* the battle.  The other half is explaining why I should move
from a perfectly functional setup that uses the filter table.  What gains
do I get from doing so?  What isn't working that I don't know about? etc?

In other words - why do I want to move from filter to mangle?

This has already been explained in this thread; here it is again:

Al Boldi wrote:
The problem is that people think they are safe with the filter table,
when in fact they need the prerouting chain to seal things.  Right now
this is only possible in the mangle table.
Why do they need PREROUTING?
Well, for example to stop any transient packets being forwarded. You could probably hack around this using mark's, but you can't stop the implied
route lookup, unless you stop it in prerouting.

Basically, you have one big unintended gaping whole in your firewall, that could easily be exploited for DoS attacks at the least, unless you put in specific rules to limit this.

Well... true enough on a small firewall machine with a really fast link, maybe. I like your point about efficiency better, it's more logical, like putting an ACCEPT of established connections before a lot of low probability rules. The only time I have seen rules actually bog a machine was when a major ISP sent out a customer "upgrade" with a bug which caused certain connections to be SYN-SYN/ACK-RST leaving half open sockets. They sent out 160k of them and the blocking list became very long as blocking rules were added.

Plus, it's outrageously incorrect to accept invalid packets, just because your filtering infrastructure can only reject packets after they have been prerouted.

As long as the filter table doesn't go away, sometimes things change after PREROUTING, like NAT, and additional rules must be used.

--
Bill Davidsen <[email protected]>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux