On 8/20/2014 2:49 PM, PGNd wrote: > > > On Wed, Aug 20, 2014, at 02:37 PM, Tom Eastep wrote: >>> NOTRACK +IPBLACKLIST_IP!+IPWHITELIST_IP - >>> NOTRACK +IPBLACKLIST_NET!+IPWHITELIST_NET - >>> DROP:P +IPBLACKLIST_IP!+IPWHITELIST_IP - >>> DROP:P +IPBLACKLIST_NET!+IPWHITELIST_NET - > >> Very expensive to have every packet entering the firewall being checked >> twice against a large ipset. > > Can't disagree, generally. > > Are you referring, specifically, to the presence of BOTH the NOTRACK > ... and DROP:P ... stmts? > > Do I need the NOTRACK prior to the DROP:P? The former I added to > avoid filling the conntrack table with junk I'm going to 'mercilessly' DROP > anyway.
If you DROP, no conntrack entry will be created. Also, if you qualify the SOURCE with the net interface(s), at least traffic from the local LAN won't be compared to the ipset. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
