Re: Why not have firewall rules by default?

[Henrique de Moraes Holschuh <hmh@debian.org>]

On Wed, 23 Jan 2008, Rolf Kutz wrote:
> On 23/01/08 08:29 -0700, Michael Loftis wrote:
>> It's better to leave the service disabled, or even better, completely  
>> uninstalled from a security standpoint, and from a DoS standpoint as 
>> well. The Linux kernel isn't very efficient at processing firewall 
>> rules.  Newer 
>
> I thought it was very efficient in doing so. YMMV.

Quite the contrary. It is *dog* *slow* for non-trivial firewalls.  You have
to use a number of tricks to optimize the rule walk (many tables, hashing,
etc), and anything that reduces the number of rules (like IPSet) is a major
performance bonus.

Or you can rip the standard netfilter firewall out, and install a
high-performance one (such as HiPAC), but those are mostly unmaintained
these days, and have a lot less features than the standard one.

You need to be doing some *heavy* firewalling (many rules) for any of that
to really matter, and on very fast links (gigabit) because nobody will
notice the firewall's speed on something as a 10Mbit/s link...

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh