Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
25% Recurring Discount on NVMe VPS
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
CloudLinux
Shells Virtual Desktop
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

What firewall do you use?

FubukiFubuki Member

been using ufw for all of my firewall for my servers but iv been thinking of switching to nftables since it looks more advanced and stable

Thanked by 2mandala blanehol
the quiz is upside down
  1. What type do you use?33 votes
    1. ufw
      57.58%
    2. iptables
        9.09%
    3. nftables
      21.21%
    4. other
        9.09%
    5. Cloudflare (and CF tunnels)
        3.03%

Comments

  • forestforest Member
    edited 3:14AM

    All of these actually use nftables under the hood. UFW is an iptables frontend and modern iptables is usually iptables-nft, which just translate iptables commands into (sloppy) nftables rules. But writing directly in nftables is always best.

    I like to use nftables, but if bpfilter becomes stable and usable one day, I'll switch in a heartbeat because the performance improvement is absolutely unbeatable and its extensibility is limitless.

    The nft syntax can be a little confusing at first, but it's really not that bad. A basic "allow all out, allow SSH in from 203.0.113.69 only, allow web traffic in from any IP" ruleset would be:

    flush ruleset
    
    table inet filter {
            chain input {
                    type filter hook input priority filter; policy drop;
    
                    # allow loopback and incoming replies
                    iif lo accept
                    ct state { established, related } accept
    
                    # restrict ssh to our home ip but allow anyone to access our web server
                    ct state new ip saddr 203.0.113.69 tcp dport ssh accept
                    ct state new tcp dport { http, https } accept
    
                    # allow necessary and useful icmp types
                    icmp type echo-request limit rate 25/second accept
                    icmpv6 type { echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } limit rate 25/second accept
            }
    
            chain output {
                    type filter hook output priority filter; policy accept;
            }
    
            chain forward {
                    type filter hook forward priority filter; policy drop;
            }
    }
    

    Btw, you can also use it for more complex things like port knocking (in a bit of a hacky way), DNAT, forcing certain applications to use certain source IPs, and even loopback and output filtering for server hardening:

    flush ruleset
    
    define primary_ipv4 = 23.137.105.248
    define secondary_ipv4 = [REDACTED]
    define primary_ipv6 = 2602:fb54:1400::1d
    
    define knock_port_1 = [REDACTED]
    define knock_port_2 = [REDACTED]
    define knock_port_3 = [REDACTED]
    define ssh_nat_port = [REDACTED]
    
    define tor_orport = 9001
    define i2p_port = 27016
    define freenet_opennet = 61601
    define freenet_darknet = 54696
    define monero_p2p_port = 18080
    define monero_rpc_port = 18089
    define syncthing_relay_port = 22067
    define syncthing_status_port = 22070
    define snowflake_port_min = 41000
    define snowflake_port_max = 41999
    
    define beszel_addr = [REDACTED]
    define beszel_port = [REDACTED]
    
    table inet filter {
            set knock_stage_1 {
                    type ipv4_addr
                    size 8192
                    flags timeout
                    timeout 5s
            }
    
            set knock_stage_2 {
                    type ipv4_addr
                    size 256
                    flags timeout
                    timeout 5s
            }
    
            set knock_success {
                    type ipv4_addr
                    size 256
                    flags timeout
                    timeout 5s
            }
    
            chain prerouting {
                    type filter hook prerouting priority raw; policy accept;
                    tcp flags syn jump knock_check
            }
    
            chain prerouting_nat {
                    type nat hook prerouting priority dstnat; policy accept;
                    tcp dport $ssh_nat_port ip saddr @knock_success redirect to :ssh
            }
    
            chain knock_check {
                    # Knock sequence
                    ip saddr @knock_stage_2 tcp dport $knock_port_3 log prefix "Port knock: " add @knock_success { ip saddr } goto knock_reset
                    ip saddr @knock_stage_1 tcp dport $knock_port_2 delete @knock_stage_1 { ip saddr } add @knock_stage_2 { ip saddr } return
                    tcp dport $knock_port_1 goto knock_start
    
                    # Wrong port knock_success, reset
                    ip saddr @knock_stage_2 goto knock_reset
                    ip saddr @knock_stage_1 goto knock_reset
            }
    
            chain knock_reset {
                    delete @knock_stage_1 { ip saddr }
                    delete @knock_stage_2 { ip saddr }
            }
    
            chain knock_start {
                    jump knock_reset
                    add @knock_stage_1 { ip saddr }
            }
    
            chain input {
                    type filter hook input priority filter; policy drop;
    
                    # Allow local traffic and replies
                    iif lo accept
                    ct state { established, related } accept
                    ct state invalid drop
    
                    # Received on primary IPs
                    ct state new ip daddr $primary_ipv4 jump {
                            tcp dport { $tor_orport, $monero_p2p_port, $monero_rpc_port, $syncthing_relay_port, $syncthing_status_port } accept
                            udp dport { $freenet_darknet, $freenet_opennet } accept
                            tcp dport $beszel_port ip saddr $beszel_addr accept
                            tcp dport ssh ip saddr @knock_success ct status dnat ct count 1 accept
                    }
    
                    ct state new ip6 daddr $primary_ipv6 jump {
                            tcp dport { $tor_orport, $i2p_port } accept
                            udp dport { $freenet_darknet, $freenet_opennet, $i2p_port } accept
                    }
    
                    # Can't run i2pd on the exit's IP: https://github.com/i2p/i2p.i2p/blob/master/installer/resources/blocklist-tor.txt
                    ct state new ip daddr $secondary_ipv4 jump {
                            tcp dport $i2p_port accept
                            udp dport $i2p_port accept
                            udp dport $snowflake_port_min - $snowflake_port_max accept
                    }
    
                    # Rate-limit ICMP
                    icmp type echo-request limit rate 25/second accept
                    icmpv6 type { echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } limit rate 25/second accept
            }
    
            chain output {
                    type filter hook output priority filter; policy accept;
    
                    ct state { established, related } accept
                    ct state invalid drop
    
                    # Block Beszel agent from initiating its own connections, even remote ones
                    skuid beszel counter reject
    
                    # Allow Unbound to access DNS and nothing else
                    # Note that root.zone is updated from the root nameservers over the default IP, not the secondary IP
                    skuid unbound jump {
                            ip protocol { tcp, udp } th dport 53 accept
                            ip6 nexthdr { tcp, udp } th dport 53 accept
                            counter reject
                    }
    
                    # Allow non-local connections and local connections to DNS
                    fib daddr type != local accept
                    ip protocol { tcp, udp } th dport 53 ip daddr 127.0.0.1 accept
    
                    # Allow Java service wrapper
                    skuid freenet tcp dport 32000 ip daddr 127.0.0.1 accept
    
                    # Allow Tor to connect to local ports set in HiddenServicePort
                    skuid debian-tor jump {
                            tcp dport { ssh, 7070, 8888 } ip daddr 127.0.0.1 accept
                            counter reject
                    }
    
                    # Block any remaining packets initiated by these users
                    skuid { _chrony, globalping, syncthing-relaysrv, i2pd, freenet, monero, snowflake-proxy } counter reject
            }
    
            chain forward {
                    type filter hook forward priority filter; policy drop;
            }
    }
    

    The only issue I have with nftables is that there's no xtables integration so there's no xt_bpf, which means I can't directly integrate BPF programs with nftables. But that's not an issue for 99.9% of users who don't need to do DPI.

  • JohnnySacJohnnySac Member

    ufw is nice and easy to use for simple firewalls but I think it's best to learn nftables because it gives you total control and access to more features than ufw (which really just wraps nftables). It has a bit of a learning curve but it's really not bad. Once you start needing more complex firewalls ufw won't cut it.

    Thanked by 1mandala
  • Nftables + RHEL ftw

  • nghialelenghialele Member

    @forest said:
    All of these actually use nftables under the hood. UFW is an iptables frontend and modern iptables is usually iptables-nft, which just translate iptables commands into (sloppy) nftables rules. But writing directly in nftables is always best.

    I like to use nftables, but if bpfilter becomes stable and usable one day, I'll switch in a heartbeat because the performance improvement is absolutely unbeatable and its extensibility is limitless.

    The nft syntax can be a little confusing at first, but it's really not that bad. A basic "allow all out, allow SSH in from 203.0.113.69 only, allow web traffic in from any IP" ruleset would be:

    flush ruleset
    
    table inet filter {
            chain input {
                    type filter hook input priority filter; policy drop;
    
                    # allow loopback and incoming replies
                    iif lo accept
                    ct state { established, related } accept
    
                    # restrict ssh to our home ip but allow anyone to access our web server
                    ct state new ip saddr 203.0.113.69 tcp dport ssh accept
                    ct state new tcp dport { http, https } accept
    
                    # allow necessary and useful icmp types
                    icmp type echo-request limit rate 25/second accept
                    icmpv6 type { echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } limit rate 25/second accept
            }
    
            chain output {
                    type filter hook output priority filter; policy accept;
            }
    
            chain forward {
                    type filter hook forward priority filter; policy drop;
            }
    }
    

    Btw, you can also use it for more complex things like port knocking (in a bit of a hacky way), DNAT, forcing certain applications to use certain source IPs, and even loopback and output filtering for server hardening:

    flush ruleset
    
    define primary_ipv4 = 23.137.105.248
    define secondary_ipv4 = [REDACTED]
    define primary_ipv6 = 2602:fb54:1400::1d
    
    define knock_port_1 = [REDACTED]
    define knock_port_2 = [REDACTED]
    define knock_port_3 = [REDACTED]
    define ssh_nat_port = [REDACTED]
    
    define tor_orport = 9001
    define i2p_port = 27016
    define freenet_opennet = 61601
    define freenet_darknet = 54696
    define monero_p2p_port = 18080
    define monero_rpc_port = 18089
    define syncthing_relay_port = 22067
    define syncthing_status_port = 22070
    define snowflake_port_min = 41000
    define snowflake_port_max = 41999
    
    define beszel_addr = [REDACTED]
    define beszel_port = [REDACTED]
    
    table inet filter {
            set knock_stage_1 {
                    type ipv4_addr
                    size 8192
                    flags timeout
                    timeout 5s
            }
    
            set knock_stage_2 {
                    type ipv4_addr
                    size 256
                    flags timeout
                    timeout 5s
            }
    
            set knock_success {
                    type ipv4_addr
                    size 256
                    flags timeout
                    timeout 5s
            }
    
            chain prerouting {
                    type filter hook prerouting priority raw; policy accept;
                    tcp flags syn jump knock_check
            }
    
            chain prerouting_nat {
                    type nat hook prerouting priority dstnat; policy accept;
                    tcp dport $ssh_nat_port ip saddr @knock_success redirect to :ssh
            }
    
            chain knock_check {
                    # Knock sequence
                    ip saddr @knock_stage_2 tcp dport $knock_port_3 log prefix "Port knock: " add @knock_success { ip saddr } goto knock_reset
                    ip saddr @knock_stage_1 tcp dport $knock_port_2 delete @knock_stage_1 { ip saddr } add @knock_stage_2 { ip saddr } return
                    tcp dport $knock_port_1 goto knock_start
    
                    # Wrong port knock_success, reset
                    ip saddr @knock_stage_2 goto knock_reset
                    ip saddr @knock_stage_1 goto knock_reset
            }
    
            chain knock_reset {
                    delete @knock_stage_1 { ip saddr }
                    delete @knock_stage_2 { ip saddr }
            }
    
            chain knock_start {
                    jump knock_reset
                    add @knock_stage_1 { ip saddr }
            }
    
            chain input {
                    type filter hook input priority filter; policy drop;
    
                    # Allow local traffic and replies
                    iif lo accept
                    ct state { established, related } accept
                    ct state invalid drop
    
                    # Received on primary IPs
                    ct state new ip daddr $primary_ipv4 jump {
                            tcp dport { $tor_orport, $monero_p2p_port, $monero_rpc_port, $syncthing_relay_port, $syncthing_status_port } accept
                            udp dport { $freenet_darknet, $freenet_opennet } accept
                            tcp dport $beszel_port ip saddr $beszel_addr accept
                            tcp dport ssh ip saddr @knock_success ct status dnat ct count 1 accept
                    }
    
                    ct state new ip6 daddr $primary_ipv6 jump {
                            tcp dport { $tor_orport, $i2p_port } accept
                            udp dport { $freenet_darknet, $freenet_opennet, $i2p_port } accept
                    }
    
                    # Can't run i2pd on the exit's IP: https://github.com/i2p/i2p.i2p/blob/master/installer/resources/blocklist-tor.txt
                    ct state new ip daddr $secondary_ipv4 jump {
                            tcp dport $i2p_port accept
                            udp dport $i2p_port accept
                            udp dport $snowflake_port_min - $snowflake_port_max accept
                    }
    
                    # Rate-limit ICMP
                    icmp type echo-request limit rate 25/second accept
                    icmpv6 type { echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } limit rate 25/second accept
            }
    
            chain output {
                    type filter hook output priority filter; policy accept;
    
                    ct state { established, related } accept
                    ct state invalid drop
    
                    # Block Beszel agent from initiating its own connections, even remote ones
                    skuid beszel counter reject
    
                    # Allow Unbound to access DNS and nothing else
                    # Note that root.zone is updated from the root nameservers over the default IP, not the secondary IP
                    skuid unbound jump {
                            ip protocol { tcp, udp } th dport 53 accept
                            ip6 nexthdr { tcp, udp } th dport 53 accept
                            counter reject
                    }
    
                    # Allow non-local connections and local connections to DNS
                    fib daddr type != local accept
                    ip protocol { tcp, udp } th dport 53 ip daddr 127.0.0.1 accept
    
                    # Allow Java service wrapper
                    skuid freenet tcp dport 32000 ip daddr 127.0.0.1 accept
    
                    # Allow Tor to connect to local ports set in HiddenServicePort
                    skuid debian-tor jump {
                            tcp dport { ssh, 7070, 8888 } ip daddr 127.0.0.1 accept
                            counter reject
                    }
    
                    # Block any remaining packets initiated by these users
                    skuid { _chrony, globalping, syncthing-relaysrv, i2pd, freenet, monero, snowflake-proxy } counter reject
            }
    
            chain forward {
                    type filter hook forward priority filter; policy drop;
            }
    }
    

    The only issue I have with nftables is that there's no xtables integration so there's no xt_bpf, which means I can't directly integrate BPF programs with nftables. But that's not an issue for 99.9% of users who don't need to do DPI.

    Thanks man! I need more digging on this.

    Thanked by 1forest
  • forestforest Member
    edited 3:45AM

    @nghialele said:

    @forest said:
    All of these actually use nftables under the hood. UFW is an iptables frontend and modern iptables is usually iptables-nft, which just translate iptables commands into (sloppy) nftables rules. But writing directly in nftables is always best.

    I like to use nftables, but if bpfilter becomes stable and usable one day, I'll switch in a heartbeat because the performance improvement is absolutely unbeatable and its extensibility is limitless.

    The nft syntax can be a little confusing at first, but it's really not that bad. A basic "allow all out, allow SSH in from 203.0.113.69 only, allow web traffic in from any IP" ruleset would be:

    flush ruleset
    
    table inet filter {
            chain input {
                    type filter hook input priority filter; policy drop;
    
                    # allow loopback and incoming replies
                    iif lo accept
                    ct state { established, related } accept
    
                    # restrict ssh to our home ip but allow anyone to access our web server
                    ct state new ip saddr 203.0.113.69 tcp dport ssh accept
                    ct state new tcp dport { http, https } accept
    
                    # allow necessary and useful icmp types
                    icmp type echo-request limit rate 25/second accept
                    icmpv6 type { echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } limit rate 25/second accept
            }
    
            chain output {
                    type filter hook output priority filter; policy accept;
            }
    
            chain forward {
                    type filter hook forward priority filter; policy drop;
            }
    }
    

    Btw, you can also use it for more complex things like port knocking (in a bit of a hacky way), DNAT, forcing certain applications to use certain source IPs, and even loopback and output filtering for server hardening:

    flush ruleset
    
    define primary_ipv4 = 23.137.105.248
    define secondary_ipv4 = [REDACTED]
    define primary_ipv6 = 2602:fb54:1400::1d
    
    define knock_port_1 = [REDACTED]
    define knock_port_2 = [REDACTED]
    define knock_port_3 = [REDACTED]
    define ssh_nat_port = [REDACTED]
    
    define tor_orport = 9001
    define i2p_port = 27016
    define freenet_opennet = 61601
    define freenet_darknet = 54696
    define monero_p2p_port = 18080
    define monero_rpc_port = 18089
    define syncthing_relay_port = 22067
    define syncthing_status_port = 22070
    define snowflake_port_min = 41000
    define snowflake_port_max = 41999
    
    define beszel_addr = [REDACTED]
    define beszel_port = [REDACTED]
    
    table inet filter {
            set knock_stage_1 {
                    type ipv4_addr
                    size 8192
                    flags timeout
                    timeout 5s
            }
    
            set knock_stage_2 {
                    type ipv4_addr
                    size 256
                    flags timeout
                    timeout 5s
            }
    
            set knock_success {
                    type ipv4_addr
                    size 256
                    flags timeout
                    timeout 5s
            }
    
            chain prerouting {
                    type filter hook prerouting priority raw; policy accept;
                    tcp flags syn jump knock_check
            }
    
            chain prerouting_nat {
                    type nat hook prerouting priority dstnat; policy accept;
                    tcp dport $ssh_nat_port ip saddr @knock_success redirect to :ssh
            }
    
            chain knock_check {
                    # Knock sequence
                    ip saddr @knock_stage_2 tcp dport $knock_port_3 log prefix "Port knock: " add @knock_success { ip saddr } goto knock_reset
                    ip saddr @knock_stage_1 tcp dport $knock_port_2 delete @knock_stage_1 { ip saddr } add @knock_stage_2 { ip saddr } return
                    tcp dport $knock_port_1 goto knock_start
    
                    # Wrong port knock_success, reset
                    ip saddr @knock_stage_2 goto knock_reset
                    ip saddr @knock_stage_1 goto knock_reset
            }
    
            chain knock_reset {
                    delete @knock_stage_1 { ip saddr }
                    delete @knock_stage_2 { ip saddr }
            }
    
            chain knock_start {
                    jump knock_reset
                    add @knock_stage_1 { ip saddr }
            }
    
            chain input {
                    type filter hook input priority filter; policy drop;
    
                    # Allow local traffic and replies
                    iif lo accept
                    ct state { established, related } accept
                    ct state invalid drop
    
                    # Received on primary IPs
                    ct state new ip daddr $primary_ipv4 jump {
                            tcp dport { $tor_orport, $monero_p2p_port, $monero_rpc_port, $syncthing_relay_port, $syncthing_status_port } accept
                            udp dport { $freenet_darknet, $freenet_opennet } accept
                            tcp dport $beszel_port ip saddr $beszel_addr accept
                            tcp dport ssh ip saddr @knock_success ct status dnat ct count 1 accept
                    }
    
                    ct state new ip6 daddr $primary_ipv6 jump {
                            tcp dport { $tor_orport, $i2p_port } accept
                            udp dport { $freenet_darknet, $freenet_opennet, $i2p_port } accept
                    }
    
                    # Can't run i2pd on the exit's IP: https://github.com/i2p/i2p.i2p/blob/master/installer/resources/blocklist-tor.txt
                    ct state new ip daddr $secondary_ipv4 jump {
                            tcp dport $i2p_port accept
                            udp dport $i2p_port accept
                            udp dport $snowflake_port_min - $snowflake_port_max accept
                    }
    
                    # Rate-limit ICMP
                    icmp type echo-request limit rate 25/second accept
                    icmpv6 type { echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } limit rate 25/second accept
            }
    
            chain output {
                    type filter hook output priority filter; policy accept;
    
                    ct state { established, related } accept
                    ct state invalid drop
    
                    # Block Beszel agent from initiating its own connections, even remote ones
                    skuid beszel counter reject
    
                    # Allow Unbound to access DNS and nothing else
                    # Note that root.zone is updated from the root nameservers over the default IP, not the secondary IP
                    skuid unbound jump {
                            ip protocol { tcp, udp } th dport 53 accept
                            ip6 nexthdr { tcp, udp } th dport 53 accept
                            counter reject
                    }
    
                    # Allow non-local connections and local connections to DNS
                    fib daddr type != local accept
                    ip protocol { tcp, udp } th dport 53 ip daddr 127.0.0.1 accept
    
                    # Allow Java service wrapper
                    skuid freenet tcp dport 32000 ip daddr 127.0.0.1 accept
    
                    # Allow Tor to connect to local ports set in HiddenServicePort
                    skuid debian-tor jump {
                            tcp dport { ssh, 7070, 8888 } ip daddr 127.0.0.1 accept
                            counter reject
                    }
    
                    # Block any remaining packets initiated by these users
                    skuid { _chrony, globalping, syncthing-relaysrv, i2pd, freenet, monero, snowflake-proxy } counter reject
            }
    
            chain forward {
                    type filter hook forward priority filter; policy drop;
            }
    }
    

    The only issue I have with nftables is that there's no xtables integration so there's no xt_bpf, which means I can't directly integrate BPF programs with nftables. But that's not an issue for 99.9% of users who don't need to do DPI.

    Thanks man! I need more digging on this.

    If you already know iptables, you can use iptables-translate(8) to convert from iptables to nftables. It's not an optimized translation by any means, but it gives you a good idea about how changes to iptables rules result in changes to the nft rules.

    Some usage examples are here:

    % iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
    nft add rule ip filter INPUT tcp dport 22 ct state new counter accept
    
    Thanked by 1nghialele
  • forestforest Member
    edited 3:49AM

    @Fubuki You should have added pf to the list for the BSD folks, an option for "none" for naïve people, and an option for "my hypervisor's firewall" for people who configure the firewall using their VPS' control panel.

  • @forest said:
    @Fubuki You should have added pf to the list for the BSD folks, an option for "none" for naïve people, and an option for "my hypervisor's firewall" for people who configure the firewall using their VPS' control panel.

    And npf so i can throw up a little ;)

  • gatewaysentryllcgatewaysentryllc Member, Patron Provider

    use XDP, even if its XDP Generic it still greatly offers you higher capabilities than iptables.

    Thanked by 1forest
  • forestforest Member
    edited 4:44AM

    @gatewaysentryllc said:
    use XDP, even if its XDP Generic it still greatly offers you higher capabilities than iptables.

    Yep, that's uses eBPF like bpfilter. It's amazingly powerful! Each rule is JIT compiled into native machine code.

    Back in the day before XDP was stable, I would just use xt_bpf in the raw iptables chain, which gave similar performance (but still not as good).

  • edited 5:03AM

    @gatewaysentryllc said:
    use XDP, even if its XDP Generic it still greatly offers you higher capabilities than iptables.

    Kinda depends on who's being addressed i guess. I mean, there's a reason UFW is so far ahead. The average user usually isn't looking for something fancy but just wants to block a bunch of ports. Once something goes beyond that most people check out pretty quickly and even if not the general solutions already do way more stuff than the average person would use. I don't think this can be generalized.

  • forestforest Member
    edited 5:09AM

    @totally_not_banned said: Kinda depends on who's being addressed i guess. I mean, there's a reason UFW is so far ahead. The average user usually isn't looking for something fancy but just wants to block a bunch of ports

    XDP is generally used for earlier filtering, so it actually augments UFW (and iptables and the like) rather than replacing it. It runs extremely early in the network stack which makes it good for DDoS protection so that packets can be discarded or redirected before they hit the much heavier (but more abstract and "useful") NetFilter code.

Sign In or Register to comment.