1 |
On Tue, Dec 31, 2013 at 9:08 AM, Pandu Poluan <pandu@××××××.info> wrote: |
2 |
> |
3 |
> On Dec 30, 2013 7:31 PM, "shawn wilson" <ag4ve.us@×××××.com> wrote: |
4 |
>> |
5 |
>> Minor additions to what Pandu said... |
6 |
>> |
7 |
>> On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan <pandu@××××××.info> wrote: |
8 |
>> > On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl <tanstaafl@×××××××××××.org> |
9 |
>> > wrote: |
10 |
>> |
11 |
>> > The numbers within [brackets] are statistics/countes. Just replace |
12 |
>> > them with [0:0], unless you really really really have a good reason to |
13 |
>> > not start counting from 0... |
14 |
>> > |
15 |
>> |
16 |
>> AFAIK, there's no reason this shouldn't alway be set to 0. If you want |
17 |
>> to keep your counter do --noflush |
18 |
>> |
19 |
>> > NOTE: In that ServerFault posting, I suggested using the anti-attack |
20 |
>> > rules in -t raw -A PREROUTING. This saves a great deal of processing, |
21 |
>> > becase the "raw" table is just that: raw, unadulterated, unanalyzed |
22 |
>> > packets. The CPU assumes nothing, it merely tries to match well-known |
23 |
>> > fields' values. |
24 |
>> > |
25 |
>> |
26 |
>> And because nothing is assumed, you can't prepend a conntrack rule. I |
27 |
>> can't think of why you'd ever want those packets (and I should |
28 |
>> probably move at least those 4 masks to raw) but just an FYI - no |
29 |
>> processing means no processing. |
30 |
>> |
31 |
>> Also see nftables: http://netfilter.org/projects/nftables/ |
32 |
>> |
33 |
> |
34 |
> Very interesting... were they aiming for something similar to *BSD's pf |
35 |
> firewall? |
36 |
> |
37 |
|
38 |
IDK (I think I remember reading that, but maybe I was just dreaming as |
39 |
I can't recall where), but that's sorta what it's looking like at this |
40 |
point. |
41 |
|
42 |
> I personally prefer iptables-style firewall; no guessing about how a state |
43 |
> machine will respond in strange situations. Especially since I greatly |
44 |
> leverage ipset and '-m condition' (part of xtables-addons), which might or |
45 |
> might not be fully supported by nftables. |
46 |
> |
47 |
|
48 |
pf is easier to learn. I use iptables much more, but if I need to do |
49 |
something with pf, it wouldn't take me very long to re-learn what's |
50 |
going on so that's sorta a plus for pf. IIRC, nftables is supposed to |
51 |
be backward compatible. But, will x module work.... I hope they didn't |
52 |
go and break stuff too much :) |