On Fri, 10 Jan 2014, Simon Hobson wrote: >> DNS(ACCEPT) dmz:192.168.110.0/24 all >> DROP dmz:192.168.110.0/24 net:!8.8.8.8,208.67.222.222 udp >> >> Where 8.8.8.8 and 208.67.222.222 are the DNS in /etc/resolv.conf > > You have redundant information in there. Since you have an accept rule > for the DNS traffic, you don't need to exclude that from the following > drop, hence you can just do : > > DNS(ACCEPT) dmz:192.168.110.0/24 all > DROP dmz:192.168.110.0/24 net udp
That was my first idea, but I noticied that when these rules are active, the name resolution is very slow, so I tried this (and other variations). And I can't understand what is slowing DNS activity (connections by naame are slow while connections by IP are normal). Tried to add logging as from Tom's hint: DNS(ACCEPT) dmz:192.168.110.0/24 all LOG:6 dmz:192.168.110.0/24 net:!8.8.8.8,208.67.222.222 udp DROP dmz:192.168.110.0/24 net:!8.8.8.8,208.67.222.222 udp But my limited iptables skill and the amount of data in log doesn't help :-) > Also, if (as would normally be the case) 192.168.110.0/24 is the whole DMZ > zone then you can remove that part - so you are now down to : > DNS(ACCEPT) dmz all > DROP dmz net udp > > Depending on your traffic profile and hardware capability, that could be > a significant decrease in CPU loading for the same result. I have a DMZ not limited to 192.168.110.0/24 ... :-) Thanks, P. ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
