From: Tom E. <te...@sh...> - 2009-04-30 23:48:35
|
Tom Eastep wrote: > Tom Campion wrote: >> Tom, >> >> Was hoping you could point me in the right direction. I'm an iptables >> novice and have been trusting my configuration to Shorewall but have >> run into some pushback from a colleague. I've never taken the time to >> learn iptables so I dont know the meaning of all the rules or what >> is really going on. My problem is I have to explain why Shorewall is >> doing or figure out a way to make the output more basic (be able to >> leave things out). My colleague has suggested the rule set produced >> by Shorewall is too "busy and inefficient" (whatever is meant by >> that).I believe my colleague to be as familiar with iptables as I am >> and is getting hung up by all the chains. I think he would prefer to >> see the default 3 (input, forward, and output)and nothing more. > > The Shorewall configuration is designed to scale to 100s of zones with > many rules in each coordinate of the zones->zone matrix. A newbie > configuration of INPUT, FORWARD and OUTPUT scales miserably. Two questions that your colleague should ask when evaluating Shorewall's ruleset against the '100s of rules in FORWARD' approach are: a) How many rules, on average, does a packet that is part of an established connection traverse? b) How many rules, on average, does a packet representing a connection request traverse. When answering those questions, I think the approach taken in Shorewall becomes clearer. Now if you have very simple-minded firewall requirements, Shorewall's approach is probably overkill. But if your requirements are that simple, maybe Shorewall itself is overkill for your particular application. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ |