LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-22-2012, 09:56 AM   #1
kikilinux
Member
 
Registered: Sep 2012
Posts: 78

Rep: Reputation: Disabled
Unhappy do we need always have stateful filtering in linux or not ?


hi
i am new to linux firewall
i want to know if we want to have a good linux firewall always we have to do filtering stateful , or we can use stateless filtering for some connection and stateful filtering for other connection, i ask this because when we use stateful filtering connection table for every connection create an entry and search in this table cause decreasing firewall connection speed
please solve my problem
best
 
Old 09-22-2012, 11:36 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Quote:
Originally Posted by kikilinux View Post
i ask this because when we (..) search in this table cause decreasing firewall connection speed
No, searching /proc/net/ip_conntrack should not cause ANY decrease in connection speed. 0) How did you actually measure that? And what is the 1) reason you're searching /proc/net/ip_conntrack and 2) how are you doing that?
 
Old 09-23-2012, 03:31 AM   #3
kikilinux
Member
 
Registered: Sep 2012
Posts: 78

Original Poster
Rep: Reputation: Disabled
Question my answer

dear anspawn
tnx to answer
when i say we search in the connection table i mean the iptables search in connection table to match the incoming packet
with one of the entry in this table ,i don't mean we search in this table.
when we use connection tracking with -m option ,every time we create a new connection ,a new entry is added to this table (connection tracking table), and every packet wants to come to or left from and pass from the firewall is checked with the connection tracking table entries but if we do filtering by stateless rules then we don't have this checking
i don't know is my decryption well to clear the problem ?
best
 
Old 09-23-2012, 03:36 AM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
After the connection is established, subsequent traffic will be quicker because the "established, related" rule will accept the traffic bypassing subsequent rules.
 
Old 09-23-2012, 08:52 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Next to what jschiwal wrote generally speaking performance will only be an issue if you have performance-draining rules or illogical rule ordering or if you use some access-denying kludge that dumps rules in the filter table INPUT chain (or anywhere else that isn't at the network level like /etc/hosts.deny, /etc/hosts, .ht_access files). Understanding Netfilter is key, including modules like "recent", targets like "NOTRACK" and additional utilities like "ipset". See this and this and maybe this and this.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
CiscoVPN - stateful firewall? Nigel_Tufnel Linux - Networking 11 02-14-2007 08:13 PM
Is router plus stateful firewall enough? jxi Linux - Security 3 10-04-2003 08:22 AM
Sendmail Spam filtering and Virus filtering MrJoshua Linux - General 2 04-03-2003 10:12 AM
stateful packet inspection estranged0877 Linux - Security 1 01-28-2003 06:05 PM
IPTables Stateful Command ryanstrayer Linux - Security 1 02-13-2002 10:44 AM


All times are GMT -5. The time now is 07:03 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration