> I know that ordering the rules so that the majority of traffic (TCP
> establisheds and generic UDP packets) matches the first few rules will
> help, but does anybody have any experience with more than, say, 50-100
> rules on an inbound serial filter on the PM2?
50 to 100 rules?! Goodness! There must be a way for you to aggregate
them.
You're going to see a performance hit as soon as you begin filtering
traffic. The more rules, the more of a performance hit. I've never
personally gotten enough rules in there to cause a noticable delay in
processing, but I've never had King Kong size filters as you do.
> I know that using, for instance, an outbound ethernet filter is more
> efficient than many inbound serial ones, but then I leave users able to
> telnet to my PMs, and that's a no-no.
Here's my inbound filter on my Office Router (commented for clarity):
permit 123.123.123.0/24 1.2.3.4/32 tcp dst eq 23
# allow telnet from 123.123.123.0/24 to my OR
permit 123.123.123.0/24 1.2.3.4/32 tcp dst eq 1643
# allow pmconsole sessions from 123.123.123.0/24 to my OR
deny 0.0.0.0/0 1.2.3.4/32 tcp
deny 0.0.0.0/0 1.2.3.4/32 udp
# deny all other traffic to my OR
permit 0.0.0.0/0 1.2.3.0/24 tcp
permit 0.0.0.0/0 1.2.3.0/24 udp
permit 0.0.0.0/0 1.2.3.0/24 icmp
# allow everything else
Here's my outbound filter on the ethernet interface:
permit 0.0.0.0/0 1.2.3.0/24 tcp estab
# allow established tcp sessions
permit 0.0.0.0/0 1.2.3.0/24 udp
# allow all udp traffic
permit 0.0.0.0/0 1.2.3.0/24 icmp
# allow all icmp traffic
permit 0.0.0.0/0 1.2.3.0/24 tcp src eq 20
# allow connections to port 20 inside my network (FTP needs this)
This effectively creates a one-way filter, meaning that I can connect
elsewhere, but people can't connect to a machine inside my LAN. This
should get you started.
Chad Scott | chad@txdirect.net
Systems Administrator | Voice 210-308-9800 x206
Internet Direct, Incorporated | FAX 210-308-9240
---------------------------------------------------------
Finger chad@txdirect.net for PGP Public Key