Hi,
I've noticed when creating DROP rules against malicious traffic, shorewall
creates them in the ZONE2ZONE chain (in my example wan2dmz).
However, getting to the DROP entry involves several jumps between chains, and
happens pretty late (if I got it right).
When looking at the graphic at http://www.shorewall.net/images/Netfilter.png,
it seems the best way would be to have shorewall create a DROP rule against
malicious traffic in the mangle table. My benchmarks show that this way, the
machine running shorewall can reach a much higher (40%-50%) rate when it's
attacked with very small packets. In one test it was about 2.2mpps vs 4.1mpps
on an E3-1270 with a 10GE Intel NIC.
Could we add an option to /etc/shorewall/interfaces that would enable creation
of DROP rules in mangle? Something like this:
net eth0 detect mangledrop
and then in rules, I'd have this for example and it'd be created in the mangle
table.
DROP net:1.2.3.4 dmz udp 0:65535 0,53
Any opinions on this? I'm probably missing something...?
Best regards,
Stefan Behte
--------------------------------------------
Stefan Behte
Teamleiter Systemadministration
Babiel GmbH
Erkrather Str. 224a
D-40233 Düsseldorf
Tel: 0211-179349 0
Fax: 0211-179349 29
E-Mail: [email protected]
Internet: http://www.babiel.com
Geschäftsführer: Georg Babiel, Dr. Rainer Babiel, Harald Babiel Amtsgericht
Düsseldorf HRB 38633
------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
