[163102] in North American Network Operators' Group
Re: High throughput bgp links using gentoo + stipped kernel
daemon@ATHENA.MIT.EDU (Ben)
Sun May 19 19:28:13 2013
Date: Mon, 20 May 2013 11:27:57 +1200
From: Ben <ben@meh.net.nz>
To: Nick Khamis <symack@gmail.com>
In-Reply-To: <CAGWRaZaMup2nx-K3Sc6d3FZNHB7xSTPONgOHEggLJYVtDkvEPg@mail.gmail.com>
Cc: nanog@nanog.org, Andre Tomt <andre@tomt.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, May 19, 2013 at 11:48:17AM -0400, Nick Khamis wrote:
> We do use a statefull iptables on our router, some forward rules...
> This is known to be on of our issues, not sure if having a separate
> iptables box would be the best and only solution for this?
Do you actually need stateful filtering? A lot of people seem to think
that it's important, when really they're accomplishing little from it,
you can block ports etc without it. And the idea of protecting hosts
from strange traffic is only really significant if the hosts have very
outdated TCP/IP stacks etc. And it breaks things like having multiple
routers.
There's an obscure NOTRACK rule you can use to cut down the number of
state entries, or remote state tracking for hosts that don't need it.
http://serverfault.com/questions/234560/how-to-turn-iptables-stateless
although googling for NOTRACK should find other things too.
Ben.
