On 10/31/2013 9:39 AM, Stefan Behte wrote: > Hi, > > I've noticed when creating DROP rules against malicious traffic, > shorewall creates them in the ZONE2ZONE chain (in my example wan2dmz). > However, getting to the DROP entry involves several jumps between > chains, and happens pretty late (if I got it right). > > When looking at the graphic at > http://www.shorewall.net/images/Netfilter.png, it seems the best way > would be to have shorewall create a DROP rule against malicious traffic > in the mangle table. My benchmarks show that this way, the machine > running shorewall can reach a much higher (40%-50%) rate when it's > attacked with very small packets. In one test it was about 2.2mpps vs > 4.1mpps on an E3-1270 with a 10GE Intel NIC. > > Could we add an option to /etc/shorewall/interfaces that would enable > creation of DROP rules in mangle? Something like this: > net eth0 detect mangledrop > > and then in rules, I'd have this for example and it'd be created in the > mangle table. > DROP net:1.2.3.4 dmz udp 0:65535 0,53 > > Any opinions on this? I'm probably missing something...?
Why would you want to optimize DROP? Do you DROP more packets than you ACCEPT? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
