Shorewall users - Aug 2003 - [Fwd: Re: Shorewall 1.4.6: common chain rules are applied before policyrules?]

Thank you for your support.
The next question: Is there a kind of common chain  applied before
ACCEPT policy? I want to DROP or REJECT Netbios traffic on most
interfaces but do not want to repeat those rules in the rules file.
Thanks,
Boi

-----Th?ng ?i?p chuy?n ti?p-----
> From: Tom Eastep <tmeastep@hotmail.com>
> To: Le.Hong.Boi@sg.netnam.vn
> Subject: Re: Shorewall 1.4.6: common chain rules are applied before
policyrules?
> Date: 19 Aug 2003 15:35:19 -0700
> 
> In the future, please post your Shorewall questions on the Shorewall Users 
> Mailing list. See http://shorewall.net/support.htm.
> 
> The common.def chain is only applied before DROP and REJECT policies. It is
> not applied before an ACCEPT policy.
> 
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> 
> 
> >From: Le Hong Boi <Le.Hong.Boi@sg.netnam.vn>
> >To: tmeastep@hotmail.com
> >Subject: Shorewall 1.4.6: common chain rules are applied before 
> >policyrules?
> >Date: 14 Aug 2003 11:52:50 +0700
> >
> >Hi Tom,
> >I have just installed Shorewall 1.4.6.
> >It seems that rules in common chain are not applied BEFORE rules in
> >policy. I see a lot of netbios packets go through my firewall.
> >My rules file is almost empty, there is not any line accept netbios
> >traffic in there.
> >Thanks and Regards,
> >L? H?ng B?i
> >Le.Hong.Boi@sg.netnam.vn
> >http://lhboi.tripod.com/
> >+84 91 3715235
> >
> 
> _________________________________________________________________
> <b>MSN 8:</b>  Get 6 months for $9.95/month 
> http://join.msn.com/?page=dept/dialup
> 
L? H?ng B?i
Le.Hong.Boi@sg.netnam.vn
http://lhboi.tripod.com/
+84 91 3715235

On Tue, 20 Aug 2003, Le Hong Boi wrote:
> Thank you for your support.
> The next question: Is there a kind of common chain  applied before
> ACCEPT policy? I want to DROP or REJECT Netbios traffic on most
> interfaces but do not want to repeat those rules in the rules file.
DROP	all	all	udp	137:139
DROP	...

-Tom

Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thanks Tom.
However, such "all all" rule will be interpreted to a n-squared number
of rules where n is number of zones. And that will slow down the
firewall. I need some thing more efficient like the common chain.
Regards,
Boi

V?o ng?y Th 4 , 20/08/2003 l?c 10:50, 1061351414 vi?t r?ng:
> On Tue, 20 Aug 2003, Le Hong Boi wrote:
> 
> > Thank you for your support.
> > The next question: Is there a kind of common chain  applied before
> > ACCEPT policy? I want to DROP or REJECT Netbios traffic on most
> > interfaces but do not want to repeat those rules in the rules file.
> 
> DROP	all	all	udp	137:139
> DROP	...
> 
> -Tom
> 
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
L? H?ng B?i
Le.Hong.Boi@sg.netnam.vn
http://lhboi.tripod.com/
+84 91 3715235

On Tue, 2003-08-19 at 21:46, Le Hong Boi wrote:
> Thanks Tom.
> However, such "all all" rule will be interpreted to a n-squared
number
> of rules where n is number of zones. And that will slow down the
> firewall. I need some thing more efficient like the common chain.
Then I suggest that you read

    http://shorewall.net/shorewall_extension_scripts.htm

-Tom

-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 2003-08-20 at 06:49, Tom Eastep wrote:
> On Tue, 2003-08-19 at 21:46, Le Hong Boi wrote:
> > Thanks Tom.
> > However, such "all all" rule will be interpreted to a
n-squared number
> > of rules where n is number of zones. And that will slow down the
> > firewall. I need some thing more efficient like the common chain.
And by the way, your assertion that "all all" slows down the firewall
is
wrong. Each packet will still go through exactly the same number of
rules as it would with a common chain.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

At 8/20/2003 06:49 -0700, Tom Eastep wrote:
>On Tue, 2003-08-19 at 21:46, Le Hong Boi wrote:
> > Thanks Tom.
> > However, such "all all" rule will be interpreted to a
n-squared number
> > of rules where n is number of zones. And that will slow down the
> > firewall. I need some thing more efficient like the common chain.
>
>Then I suggest that you read
>
>     http://shorewall.net/shorewall_extension_scripts.htm
Regardless of the numer of zones, if there are only two rules in an "all 
all" situation, wouldn''t each packet have to go through only two
rules
regardless of its source or destination? After all, if I have 50 zones, and 
I get 2500 rules from this scenario, won''t each packet still only go 
through 2 or maybe 4?


-- 
Rodolfo J. Paiz
rpaiz@simpaticus.com

On Wed, 2003-08-20 at 06:58, Rodolfo J. Paiz wrote:
> 
> Regardless of the numer of zones, if there are only two rules in an
"all
> all" situation, wouldn''t each packet have to go through only
two rules
> regardless of its source or destination? After all, if I have 50 zones, and
> I get 2500 rules from this scenario, won''t each packet still only
go
> through 2 or maybe 4?
Yes, you''re correct as I mentioned in my second post on this thread.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thank you very much! That is what I need.
Boi
V?o ng?y Th 4 , 20/08/2003 l?c 20:49, 1061387347 vi?t
r?ng:
> On Tue, 2003-08-19 at 21:46, Le Hong Boi wrote:
> > Thanks Tom.
> > However, such "all all" rule will be interpreted to a
n-squared number
> > of rules where n is number of zones. And that will slow down the
> > firewall. I need some thing more efficient like the common chain.
> 
> Then I suggest that you read
> 
>     http://shorewall.net/shorewall_extension_scripts.htm
> 
> -Tom
L? H?ng B?i
Le.Hong.Boi@sg.netnam.vn
http://lhboi.tripod.com/
+84 91 3715235