Difference between revisions of "Talk:Simple stateful firewall"

From ArchWiki
Jump to navigation Jump to search
(Add note on ping rate-limiting considered harmful.)
Line 7: Line 7:
  
 
[[User:Maddes.b|Maddes.b]] ([[User talk:Maddes.b|talk]]) 16:39, 26 August 2014 (UTC)
 
[[User:Maddes.b|Maddes.b]] ([[User talk:Maddes.b|talk]]) 16:39, 26 August 2014 (UTC)
 +
 +
== ICMP rate limiting considered harmful ==
 +
I'd say that the ping rate limiter has little value. Processing those takes little effort for the kernel, especially compared to TCP. Anyhow, if you want to do proper traffic control, use tc, and look at queuing disciplines instead of arbitrary rate limits which may only be ephemerally valid and not applicable to most people.
 +
 +
I'm considering removing it soon.
 +
 +
[[User:Alp|Alp]] ([[User talk:Alp|talk]]) 16:26, 18 February 2015 (UTC)

Revision as of 16:26, 18 February 2015

Question about section "Protection against spoofing attacks"

The rule when rp_filter is 0 checks the source address. Previously I only read about checking the destination address with the comment "Reject external connections for internal networks".
As I'm still a network/firewall newbie I cannot distinguish what is correct or if both are needed?

 -I INPUT ! -i lo -d 127.0.0.0/8 -j DROP

Same for the "IPv6" section.

Maddes.b (talk) 16:39, 26 August 2014 (UTC)

ICMP rate limiting considered harmful

I'd say that the ping rate limiter has little value. Processing those takes little effort for the kernel, especially compared to TCP. Anyhow, if you want to do proper traffic control, use tc, and look at queuing disciplines instead of arbitrary rate limits which may only be ephemerally valid and not applicable to most people.

I'm considering removing it soon.

Alp (talk) 16:26, 18 February 2015 (UTC)