6. Firewall Optimization
Chapter 5, “Building and Installing a Standalone Firewall,” used both the
nftables firewall administration programs to build a simple, single-system, custom-designed firewall. This chapter introduces firewall optimization. Optimization can be divided into three major categories: rule organization, use of the state module, and user-defined chains. The example in the preceding chapter was shown both with and without the use of the state module. This chapter focuses on rule organization and user-defined chains.
Little optimization can be done using only the
FORWARD chains. Chain traversal is top to bottom, one rule at a time, until the packet matches a rule. The rules on ...