Re: Why not have firewall rules by default?

• Henrique de Moraes Holschuh:

> On Wed, 23 Jan 2008, Rolf Kutz wrote:
>> On 23/01/08 08:29 -0700, Michael Loftis wrote:
>>> It's better to leave the service disabled, or even better, completely
>>> uninstalled from a security standpoint, and from a DoS standpoint as
>>> well. The Linux kernel isn't very efficient at processing firewall
>>> rules. Newer
>>
>> I thought it was very efficient in doing so. YMMV.
>
> Quite the contrary. It is *dog* *slow* for non-trivial firewalls.

It depends a lot on the traffic characteristics. For a few, long flows, Netfilter is pretty efficient if you use connection tracking. Per-flow setup costs are also much lower than most of the proprietary offerings running on non-specialized hardware. It also helps that, unlike appliances, custom-built Linux packet filters typically use current CPUs with relatively large caches.

> You need to be doing some *heavy* firewalling (many rules) for any of that
> to really matter, and on very fast links (gigabit) because nobody will
> notice the firewall's speed on something as a 10Mbit/s link...

This is why Netfilter is considered fast, other implementations have trouble keeping up with 10 Mbit/s links. 8-P

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org