Re: is iptables slow?

To: Boris Bierwald <boris@eddy.uni-duisburg.de>
Cc: phadell <fadel@siteplanet.com.br>, debian-security@lists.debian.org
Subject: Re: is iptables slow?
From: Einar Karttunen <ekarttun@cs.Helsinki.FI>
Date: Thu, 15 Nov 2001 13:23:59 +0200
Message-id: <[🔎] 20011115132359.A31871@cs.helsinki.fi>
Mail-followup-to: Boris Bierwald <boris@eddy.uni-duisburg.de>, phadell <fadel@siteplanet.com.br>, debian-security@lists.debian.org
In-reply-to: <[🔎] 20011115113115.B18754@eddy.uni-duisburg.de>; from boris@eddy.uni-duisburg.de on Thu, Nov 15, 2001 at 11:31:15AM +0100
References: <[🔎] 01111417331404.00339@phadell> <[🔎] 01111502445700.00330@phadell> <[🔎] 20011115113115.B18754@eddy.uni-duisburg.de>

On Thu, Nov 15, 2001 at 11:31:15AM +0100, Boris Bierwald wrote:
> I would assume that your DROP default policy causes the delay. At least
> most smtp- and ftp-servers will send an ident query back to your host
> if you try to connect to them. If you simply ignore the queries, those
> servers will wait until a timeout occurs. Try to use the --state
> RELATED match, or change your default policy to REJECT if you like to
> have ident queries blocked. 
> 
A simple alternative is to REJECT just identd. The default policy of
drop annoys scanners more than a reject. Of course this doesn't
make portscanning more difficult, just a little bit slower.

- Einar Karttunen

Reply to:

References:
- is iptables slow?
  - From: phadell <fadel@siteplanet.com.br>
- Re: is iptables slow?
  - From: phadell <fadel@siteplanet.com.br>
- Re: is iptables slow?
  - From: Boris Bierwald <boris@eddy.uni-duisburg.de>

Prev by Date: Re: is iptables slow?
Next by Date: Re: 'mirror' with iptables
Previous by thread: Re: is iptables slow?
Next by thread: RE: Suggestion for debian-security
Index(es):
- Date
- Thread