Commit d9a9f222 authored by Cool Fire's avatar Cool Fire

Move the related/established rule to the top

Since the related/established rule gets hit the most by far, it makes
sense to put this rule at the top of the INPUT chain for performance
reasons.
parent 311b000c
Pipeline #2417 failed with stages
in 1 minute and 44 seconds
......@@ -13,50 +13,50 @@ class profile::base::firewall (
}
# Default rules IPv4
firewall { '000 accept all icmp':
firewall { '000 accept related established rules':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}
-> firewall { '001 accept all icmp':
proto => 'icmp',
action => 'accept',
}
-> firewall { '001 accept all to lo interface':
-> firewall { '002 accept all to lo interface':
proto => 'all',
iniface => 'lo',
action => 'accept',
}
-> firewall { '002 reject local traffic not on loopback interface':
-> firewall { '003 reject local traffic not on loopback interface':
iniface => '! lo',
proto => 'all',
destination => '127.0.0.1/8',
action => 'reject',
}
-> firewall { '003 accept related established rules':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}
# Default rules IPv6
firewall { '000 accept all icmp v6':
firewall { '000 accept related established rules v6':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
provider => 'ip6tables',
}
-> firewall { '001 accept all icmp v6':
proto => 'icmp',
action => 'accept',
provider => 'ip6tables',
}
-> firewall { '001 accept all to lo interface v6':
-> firewall { '002 accept all to lo interface v6':
proto => 'all',
iniface => 'lo',
action => 'accept',
provider => 'ip6tables',
}
-> firewall { '002 reject local traffic not on loopback interface v6':
-> firewall { '003 reject local traffic not on loopback interface v6':
iniface => '! lo',
proto => 'all',
destination => '::1/128',
action => 'reject',
provider => 'ip6tables',
}
-> firewall { '003 accept related established rules v6':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
provider => 'ip6tables',
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment