On Dec 30, 2013 7:31 PM, "shawn wilson" <ag4ve...@gmail.com> wrote: > > Minor additions to what Pandu said... > > On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan <pa...@poluan.info> wrote: > > On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl <tansta...@libertytrek.org> wrote: > > > The numbers within [brackets] are statistics/countes. Just replace > > them with [0:0], unless you really really really have a good reason to > > not start counting from 0... > > > > AFAIK, there's no reason this shouldn't alway be set to 0. If you want > to keep your counter do --noflush > > > NOTE: In that ServerFault posting, I suggested using the anti-attack > > rules in -t raw -A PREROUTING. This saves a great deal of processing, > > becase the "raw" table is just that: raw, unadulterated, unanalyzed > > packets. The CPU assumes nothing, it merely tries to match well-known > > fields' values. > > > > And because nothing is assumed, you can't prepend a conntrack rule. I > can't think of why you'd ever want those packets (and I should > probably move at least those 4 masks to raw) but just an FYI - no > processing means no processing. > > Also see nftables: http://netfilter.org/projects/nftables/ >
Very interesting... were they aiming for something similar to *BSD's pf firewall? I personally prefer iptables-style firewall; no guessing about how a state machine will respond in strange situations. Especially since I greatly leverage ipset and '-m condition' (part of xtables-addons), which might or might not be fully supported by nftables. Rgds, --
