Mailing List Archive

   tlug.jp -> Mailing List -> tlug archive -> tlug Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] CPU cycles and packet filtering

On Thu, 26 Dec 2002 08:36:45 -0500, Josh Glover <jmglov@example.com> wrote
to tlug@example.com:

> When you do not have to worry about users, stopping the packet as low as
> possible in the TCP/IP stack is going to be the most efficient solution.

That's what seemed most logical to me. The further up the stack the data
gets, the more processing has been done. Boot the packet out in layer 3 (IP)
and you've saved yourself a fair amount of work. Thanks for the
confirmation.

If, OTOH, instead of dropping all connections from a the subnets in my list,
I route all incoming packets supposed to go to TCP port 25 into a separate
chain, and only check IP addies in that chain, have those packets already
made it to layer 4 or does the filter already "know" that's where the packet
will end up without the kernel having pushed it up?

> My opinion? Stick with your iptables solution.

That's what I'll do.

> Have you also noticed that you park in a driveway and drive
> on a parkway? ;)

LOL :)  Except that doesn't work in (British) English because "parkway" is
an American word, the meaning of which I don't really know.

As a coder, you'll probably appreciate the signature at the bottom of this
mail :)

Anyway, FWIW, here's the list of "offending" subnets I've built if anyone
else wants to adopt a similar solution:

Korea:
------

kornet.net		61.78.0.0 -> 61.85.255.255
			61.78.0.0/15
			61.80.0.0/14
			61.84.0.0/15

			61.72.0.0 -> 61.75.255.255
			61.72.0.0/14

			211.222.212.0 -> 211.222.215.255
			211.222.212.0/22

boranet			61.32.0.0 -> 61.43.255.255
			61.32.0.0/13
			61.40.0.0/14

hananet			211.200.78.0 -> 211.200.79.255
			211.200.78.0/23

eyes			211.238.96.128 -> 211.238.96.255
			211.238.96.128/25


Mainland China:
---------------

pingnet			194.148.0.0 -> 194.148.255.255
			194.148.0.0/16

capital network		211.101.128.0 -> 211.102.127.255
			211.101.128.0/17
			211.102.0.0/17

chinacomm.com.cn	211.157.96.0 -> 211.157.127.255
			211.157.96.0/19


Taiwan:
-------

hinet.net		61.228.0.0 -> 61.231.255.255
			61.228.0.0/14

ncic.com.tw		218.32.0.0 -> 218.32.255.255
			218.32.0.0/16


Brazil:
-------

Sao Paolo telecom	200.148.0.0 -> 200.148.127.255
			200.148.0.0/17

			200.158.0.0 -> 200.158.127.255
			200.158.0.0/17

			200.161.0.0 -> 200.161.255.255
			200.161.0.0/16

Ajato			200.162.208.0 -> 200.162.223.255
			200.162.208.0/20

Others:
-------

BT Online Nigeria	213.181.64.0 -> 213.181.64.255
			213.181.64.0/24


These subnets account for just over 2 million machines, which in turn
account for approximately 0.05% of the possible IPV4 address space. It just
goes to show what a nuisance a small minority can be...

-- 
G. Stewart   --   gstewart@example.com
                  gstewart@example.com
Registered Linux user #284683

GnuPG key  : BA3D01C6 (pgp.mit.edu)
Fingerprint: C3DF C686 6572 6E59 E3E4  0F40 2B9A 2218 BA3D 01C6
---------------------------------------------------------------
There are only 10 kinds of people in the world: Those who understand
binary, and those who don't.

Attachment: pgp00048.pgp
Description: PGP signature

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links