RFC - sysadmin guidelines

Stephen John Smoogen smooge at gmail.com
Mon Jan 19 20:21:00 UTC 2009


On Sat, Jan 17, 2009 at 10:43 AM, Mike McGrath <mmcgrath at redhat.com> wrote:
> On Fri, 16 Jan 2009, Frank Chiulli wrote:
>
>> Mike,
>> First let me say that the examples are a great addition to the page.
>>
>> I was looking at the iptables sample configuration and had some
>> questions.  I compared your suggested configuration to my current
>> configuration (Fedora 10).  With the exception of the lines with
>> '--tcp-flags' in your sample configuration, they're pretty close.  I
>> don't have those yet.  The first three lines that start with '-A' in
>> your sample are the same as mine except the order is different.  Does
>> the order make a difference?
>>
>> Here are the lines from my file:
>> -A INPUT -m state --state ESTABLISHED,RELATED -j accept
>> -A INPUT -p icmp -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>>
>> Here are yours:
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A INPUT -p icmp -j ACCEPT
>>
>
> The order isn't that important though I should really have
> established,related come first.  The main reason for this is because
> IPTables runs like a list, any already approved content doesn't have to
> get checked against much of the list but instead is automatically
> approved.

It used to be that the state lookup might take more 'energy' than the
general accept.. and some servers which threw mostly stuff over
loopback in single packets would experience a higher load than others.
That is probably an issue that is not as relevant today as it was in
the past.. but the general rule was get easy decisions done quickly,
do hard ones later (especially if you were in a very hostile/noisy
network).  I think that theory would need to be tested again as the
iptables weight for dealing with state is different from when you
found a higher CPU and some packet delay if you didn't just drop worm
port traffic first and then dealt with state.

-

> This has security implications but for most setups its a good policy.
> I'll actually move that up now and refresh that page soon.
>




-- 
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"




More information about the infrastructure mailing list