Hi all, I have seen Shorewall places the state verification rules (-m state --state ESTABLISHED,RELATED) as the first rule in a zone2zone chain. This means that state checking is done after all the rules involving from this zone to this zone. As you could have a lot of them, wont be better to place them just after checking the state is not invalid? This will mean a lot of packages will be accepted or rejected much faster. Regards -- Jaime Nebrera - jnebrera@eneotecnologia.com Consultor TI - ENEO Tecnologia SL Telf.- 95 455 40 62 - 619 04 55 18
Jaime Nebrera wrote:> Hi all, > > I have seen Shorewall places the state verification rules (-m state > --state ESTABLISHED,RELATED) as the first rule in a zone2zone chain. > This means that state checking is done after all the rules involving > from this zone to this zone. As you could have a lot of them, wont be > better to place them just after checking the state is not invalid? This > will mean a lot of packages will be accepted or rejected much faster.The rule is placed there as a default accounting feature. If you place it back in the FORWARD/INPUT chain then you lose that. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Tom,> The rule is placed there as a default accounting feature. If you place > it back in the FORWARD/INPUT chain then you lose that.As always, I would like to hear Microsoft respond as fast and as knowleable as you :) OK, I see your point. We will consider making a patch to Shorewall so if you dont use traffic accounting (as its our case) you could place this rules at the beginning and increase the performance. BTW, I see many people is offering you regional beers. The problem is, here in Spain we are not famous about beer but are good indeed in whine (red) and olive oil. We could even send you some saffron as here is cheap and it weights very few (also is not bad for your belly line :)) What do you prefer? -- Jaime Nebrera - jnebrera@eneotecnologia.com Consultor TI - ENEO Tecnologia SL Telf.- 95 455 40 62 - 619 04 55 18
Jaime Nebrera wrote:> > BTW, I see many people is offering you regional beers. The problem is, > here in Spain we are not famous about beer but are good indeed in whine > (red) and olive oil. We could even send you some saffron as here is > cheap and it weights very few (also is not bad for your belly line :)) > What do you prefer? >Hello Jaime, Please don''t feel like you must send anything but if you would send some saffron, we would very much appreciate it. It is quite expensive here. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> > Hello Jaime, > > Please don''t feel like you must send anything but if you would send some > saffron, we would very much appreciate it. It is quite expensive here. >Sorry folks -- I didn''t realize that this post was going to the list. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Jaime Nebrera wrote:> >>The rule is placed there as a default accounting feature. If you place >>it back in the FORWARD/INPUT chain then you lose that. > > As always, I would like to hear Microsoft respond as fast and as > knowleable as you :) > > OK, I see your point. We will consider making a patch to Shorewall so > if you dont use traffic accounting (as its our case) you could place > this rules at the beginning and increase the performance.There is a thread on the User''s list currently that illustrates another good reason to keep the current code (I''m referring to the FTP/DMZ thread). While you can see that there is a problem by looking at the connection tracking table (note all of the UNREPLIED states on the "right" side of the connections), it becomes clear that loc->net traffic is bypassing the firewall when you look at the eth1_fwd chain (not one byte has been passed back from eth1 to eth0). With your option enabled, you wouldn''t be able to see that from the output of "shorewall status". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key