1 |
On Dec 30, 2013 7:31 PM, "shawn wilson" <ag4ve.us@×××××.com> wrote: |
2 |
> |
3 |
> Minor additions to what Pandu said... |
4 |
> |
5 |
> On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan <pandu@××××××.info> wrote: |
6 |
> > On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl <tanstaafl@×××××××××××.org> |
7 |
wrote: |
8 |
> |
9 |
> > The numbers within [brackets] are statistics/countes. Just replace |
10 |
> > them with [0:0], unless you really really really have a good reason to |
11 |
> > not start counting from 0... |
12 |
> > |
13 |
> |
14 |
> AFAIK, there's no reason this shouldn't alway be set to 0. If you want |
15 |
> to keep your counter do --noflush |
16 |
> |
17 |
> > NOTE: In that ServerFault posting, I suggested using the anti-attack |
18 |
> > rules in -t raw -A PREROUTING. This saves a great deal of processing, |
19 |
> > becase the "raw" table is just that: raw, unadulterated, unanalyzed |
20 |
> > packets. The CPU assumes nothing, it merely tries to match well-known |
21 |
> > fields' values. |
22 |
> > |
23 |
> |
24 |
> And because nothing is assumed, you can't prepend a conntrack rule. I |
25 |
> can't think of why you'd ever want those packets (and I should |
26 |
> probably move at least those 4 masks to raw) but just an FYI - no |
27 |
> processing means no processing. |
28 |
> |
29 |
> Also see nftables: http://netfilter.org/projects/nftables/ |
30 |
> |
31 |
|
32 |
Very interesting... were they aiming for something similar to *BSD's pf |
33 |
firewall? |
34 |
|
35 |
I personally prefer iptables-style firewall; no guessing about how a state |
36 |
machine will respond in strange situations. Especially since I greatly |
37 |
leverage ipset and '-m condition' (part of xtables-addons), which might or |
38 |
might not be fully supported by nftables. |
39 |
|
40 |
Rgds, |
41 |
-- |