[lug] Personal Server Behind DSL Router

Zan Lynx zlynx at acm.org
Fri Jan 12 10:28:53 MST 2007

On Thu, 2007-01-11 at 21:37 -0700, Ken MacFerrin wrote:
> > I typically don't run iptables on a box like this because all the
> > services it provides are public.  So there isn't anything for iptables
> > to block (obviously there are some other useful things iptables can do).
> Why wouldn't you firewall each machine?  This provides an additional
> layer of protection for your server in case another machine in your
> internal network is compromised (ie: your visiting relative that wants
> to use their spyware filled XP laptop at the house). Given the small
> memory footprint and simplicity of setting up something like shorewall I
> can't see why not to turn it on..

Well, for an actual *server* server, like one running on an internal
company LAN where it can actually approach using significant fraction of
a 100 Mbps Ethernet . . .

You turn off iptables and all netfilter code so that your server doesn't
suffer the CPU overhead of connection tracking.  

Netfilter can also screw up networking zero-copy, I believe, although I
may be remembering what I read about some of those network offload cards
Linus doesn't like.  (The theory there is that the card handles all the
TCP packeting, and simply DMAs datastreams to/from main memory.  Like
Infiniband RDMA but over Ethernet.)

Speaking of that, I wonder if anyone has Linux drivers for the KillerNIC
yet (It's Linux on a card, doing network offload for Windows).
Zan Lynx <zlynx at acm.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20070112/25e7573a/attachment.pgp>

More information about the LUG mailing list