View Single Post
  #2   (View Single Post)  
Old 14th July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 7,211

Since your rules are "quick", only the first matching rule applies. And, because they are "keep state", an existing state table entry eliminates rule matching entirely.

With that in mind, your second pass rule will only match in the unique case when the session originates on your router, to the web server. It will never match for any other connection. (If there is a state in progress, no rules are tested, and if not, then external traffic will match the first pass rule, and traffic within $int_if will travel directly on the subnet.)

If your router is also functioning as a proxy web server, then the second rule will match, as the proxy server will initiate separate traffic to the web server. But if that were the case, traffic to port 80 would be destined for the router, not for the webserver.

Your third and fourth pass rules will not likely apply in any situation, as states for TCP sessions were established by the first rule.

You'll need to determine what limits to put on state tables; I use state table management for sshd and ftpd; and there, I use only max-src-conn-rate.
Reply With Quote