[pve-devel] firewall option nosmurfs and tcpflags
Alexandre DERUMIER
aderumier at odiso.com
Fri Apr 18 10:09:15 CEST 2014
I mean, I we have a bad packet (smurf or bad tcpflags) attack,
for each packet it need to go to the whole chains (vmbrxxx,tapxxx,..) to match the nosmurf or tcpflag block rule.
just put the rule in PVEFW-FORWARD, after
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FORWARD -p tcp -j PVEFW-tcpflags
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Vendredi 18 Avril 2014 09:01:43
Objet: RE: firewall option nosmurfs and tcpflags
> Yes, I think it's ok. It could also improve performance, for bad packets, less
> lookups in vmbr, tap chains.
oh, how can we improve performance?
More information about the pve-devel
mailing list