do we need always have stateful filtering in linux or not ?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
do we need always have stateful filtering in linux or not ?
hi
i am new to linux firewall
i want to know if we want to have a good linux firewall always we have to do filtering stateful , or we can use stateless filtering for some connection and stateful filtering for other connection, i ask this because when we use stateful filtering connection table for every connection create an entry and search in this table cause decreasing firewall connection speed
please solve my problem
best
i ask this because when we (..) search in this table cause decreasing firewall connection speed
No, searching /proc/net/ip_conntrack should not cause ANY decrease in connection speed. 0) How did you actually measure that? And what is the 1) reason you're searching /proc/net/ip_conntrack and 2) how are you doing that?
dear anspawn
tnx to answer
when i say we search in the connection table i mean the iptables search in connection table to match the incoming packet
with one of the entry in this table ,i don't mean we search in this table.
when we use connection tracking with -m option ,every time we create a new connection ,a new entry is added to this table (connection tracking table), and every packet wants to come to or left from and pass from the firewall is checked with the connection tracking table entries but if we do filtering by stateless rules then we don't have this checking
i don't know is my decryption well to clear the problem ?
best
After the connection is established, subsequent traffic will be quicker because the "established, related" rule will accept the traffic bypassing subsequent rules.
Next to what jschiwal wrote generally speaking performance will only be an issue if you have performance-draining rules or illogical rule ordering or if you use some access-denying kludge that dumps rules in the filter table INPUT chain (or anywhere else that isn't at the network level like /etc/hosts.deny, /etc/hosts, .ht_access files). Understanding Netfilter is key, including modules like "recent", targets like "NOTRACK" and additional utilities like "ipset". See this and this and maybe this and this.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.