On Tue, Dec 31, 2013 at 9:08 AM, Pandu Poluan <pa...@poluan.info> wrote: > > On Dec 30, 2013 7:31 PM, "shawn wilson" <ag4ve...@gmail.com> wrote: >> >> Minor additions to what Pandu said... >> >> On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan <pa...@poluan.info> wrote: >> > On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl <tansta...@libertytrek.org> >> > wrote: >> >> > The numbers within [brackets] are statistics/countes. Just replace >> > them with [0:0], unless you really really really have a good reason to >> > not start counting from 0... >> > >> >> AFAIK, there's no reason this shouldn't alway be set to 0. If you want >> to keep your counter do --noflush >> >> > NOTE: In that ServerFault posting, I suggested using the anti-attack >> > rules in -t raw -A PREROUTING. This saves a great deal of processing, >> > becase the "raw" table is just that: raw, unadulterated, unanalyzed >> > packets. The CPU assumes nothing, it merely tries to match well-known >> > fields' values. >> > >> >> And because nothing is assumed, you can't prepend a conntrack rule. I >> can't think of why you'd ever want those packets (and I should >> probably move at least those 4 masks to raw) but just an FYI - no >> processing means no processing. >> >> Also see nftables: http://netfilter.org/projects/nftables/ >> > > Very interesting... were they aiming for something similar to *BSD's pf > firewall? >
IDK (I think I remember reading that, but maybe I was just dreaming as I can't recall where), but that's sorta what it's looking like at this point. > I personally prefer iptables-style firewall; no guessing about how a state > machine will respond in strange situations. Especially since I greatly > leverage ipset and '-m condition' (part of xtables-addons), which might or > might not be fully supported by nftables. > pf is easier to learn. I use iptables much more, but if I need to do something with pf, it wouldn't take me very long to re-learn what's going on so that's sorta a plus for pf. IIRC, nftables is supposed to be backward compatible. But, will x module work.... I hope they didn't go and break stuff too much :)
