'Re: User Rules'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: User Rules
From:       Simon Edwards <simon () simonzone ! com>
Date:       2001-06-12 19:34:57
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Tuesday 12 June 2001 02:01, you wrote:
> I don't understand user rules.  How and why they are used just seems to go
> over my head...  So I must claim stupidity and ask the wealth of knowledge
> on this list, is there is anyone who can explain it a little better to me?

> I think I understand the mechanics and semantics of user rules.  Yes they
> can optimize the flow through the rules, but for some reason I feel unable
> to see why I would need them with my current firewall iptables script.  If
> you know what I'm missing, that would metaphorically turn on the light,
> could you please pass it on to me?

:-)

Uses for user rules:

* Makes it possible to share rules between the INPUT OUTPUT and FORWARD 
chains.

* Optimisation. Reduce the number of rules that are applied to a packet by 
using "divide and conqueur" filtering statagies.

It's like programming in real languages. You can write whatever you like 
without defining your own subroutines, but you certainly wouldn't want to 
write anything non-trivial without subroutines. Subroutines (and user rules) 
help make things scalable.

Also one other thing. I suspect that user rules are important where you are 
using rate limited logging. Here's a lengthy example. Consider:

INPUT chain
===========
...
if PING_OF_DEATH then RATE LIMIT LOG (2/sec)
if PING_OF_DEATH then DROP
if RPC then RATE LIMIT LOG (2/sec)
if RPC then DROP
...

If someone sends you a flood of the Ping fo Death, it will be dropped and 
logged at a rate of 2 per second, and your logs grow at a rate of 2/sec. If 
someone sends you a flood of RPC packets it will be dropped and logged at a 
rate of 2 per second and your logs grow at a rate of 2/sec. *BUT* if someone 
does both at the same time your logs grow at the aggregate rate or 4/sec. The 
more times you use the LOG rule the higher the resulting max log rate.

Kind of annoying I think. I would just like to ensure that my logs can only 
grow at a known maximum rate. That's kind of the whole point really. The only 
solution I know of would require the use of a user chain.

INPUT chain
===========
...
if PING_OF_DEATH then goto LOGDROP
if RPC then goto LOGDROP
...

LOGDROP user chain
==================
RATE LIMIT LOG (2/sec)
DROP

Logs can now only grow at the rate of 2/sec.

or am I wrong?

cheers,

- --
Simon Edwards
simon@simonzone.com
http://www.simonzone.com/
Nijmegen, The Netherlands       "ZooTV? You made the right choice."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjsmbuEACgkQuIuDmTrvhSZQOACgntbpW3uFx7NfwkWptDhiijdc
cIwAn3rdBwLN0jjul830OVaRU1zEoiKt
=KV1/
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic