[svlug] deny ssh

Nate Campi nate at wired.com
Tue Nov 27 13:13:02 PST 2001

On Tue, Nov 27, 2001 at 11:33:56AM -0800, David Masten wrote:
> On Tue, 2001-11-27 at 09:28, Robert Khachikyan wrote:
> > or just put ipchains and deny the ip to port 22(ssh).
> > 
> This is very ugly. It works, but it is just a *Bad Thing* (unless
> ipchains is already running). This adds additional processing for every
> IP packet. For a typical home machine with DSL or Cable networking, it
> is no big deal, for any type of network intensive or CPU intensive
> machine, it is a very big deal.

David, I've heard people make these claims before and never found any
studies that backed up such a claim. I've searched for them and asked on
the netfilter mailing list as well, all to no avail.

Obviously it's extra overhead/processing, no contest there. The question
is at what point is it measurable?

Usually the highest traffic servers you want to firewall are webservers,
so how about that? My company serves the top header bar for millions and
millions of page views each day from two small clusters of linux
machines, and they process every packet with ipchains that comes in (not
out, AFAIK). The speeds and traffic that are shuttled out of those boxes
is nothing short of incredible.

Due to this I would guess that since most people and sites won't come
close to approaching the limit where packet filtering will adversely
affect their *hosts*. Maybe if they are on a really, really slow
processor that is overloaded already, and they are doing complex
filtering inbound and outbound, maybe.

Don't bring up a PeeCee doing packet filtering gateway duty for a gigabit
link, this is about hosts, not gateways.

I politely ask you to back up your claims.
Nate Campi | Terra Lycos DNS | SF UNIX Operations | (415) 276-8678

Your mantra for today is: Don't let data from the network near a
shell. Bad things happen.                    -- Randall Schwartz

More information about the svlug mailing list