netfilter firewalling problems and solutions

Archaic archaic at indy.rr.com
Thu Feb 19 20:48:50 PST 2004


On Thu, Feb 19, 2004 at 10:28:15PM -0600, Dagmar d'Surreal wrote:
> 
> So the packets on your machines forward themselves across interfaces
> with the help of some manner of magical elves instead of service
> daemons?

Hey! Don't knock magical elves. They're good workers. ;)

> Netfilter can see everything dhcpd does.

You sure about that? IIRC dhclient, unlike other clients, uses a raw
socket. At least the last time I used it it did. iptables couldn't
filter it because it didn't see it.

> If you sit down and flowchart what you propose, you're going to see
> there will be a lot of useless chain jumping going on.  A new chain is
> only really useful when you have to perform multiple (as in at least
> three) tests on each packet, because the chain jump itself is match
> operation.  Until someone implements flow control (or *shudder* QoS) on
> a per-service basis there's not much that I can see that would require
> more than one or two rules to hit per packet and service.

Yeah, but spend too much time trying to minimize the number of rules
that will match each packet and I would fear something getting missed.

Can we trim the quoting, please. It's getting rather hard to weed
through, and at my currently high speed of 33.6kbps, it's taking forever
to scroll through.

-- 
Archaic

See, when the GOVERNMENT spends money, it creates jobs; whereas when the
money is left in the hands of TAXPAYERS, God only knows what they do
with it.  Bake it into pies, probably.  Anything to avoid creating jobs.

- Dave Barry




More information about the hlfs-dev mailing list