You're following the concept "allow what's needed, drop everything else", which is good.
From performance point of view your rules would benefit of some reworking. Rules are evaluated top-to-bottom (inside each chain) so performance-wise it's good to make rules, which will deal with most packets, higher on the list. You're missing fasttrack rules (those particularly boost performance). Default firewall rule set is very good at these aspects, so I'm recommending you to have a look at default and try to understand how it performs. And then adjust your firewall rules accordingly.
Personally I'd start from default (not only it's good performance wise, it's also pretty secure) and adjust/add needed rules. Starting from scratch does sound fun, but it's easier to miss things as well.
From performance point of view your rules would benefit of some reworking. Rules are evaluated top-to-bottom (inside each chain) so performance-wise it's good to make rules, which will deal with most packets, higher on the list. You're missing fasttrack rules (those particularly boost performance). Default firewall rule set is very good at these aspects, so I'm recommending you to have a look at default and try to understand how it performs. And then adjust your firewall rules accordingly.
Personally I'd start from default (not only it's good performance wise, it's also pretty secure) and adjust/add needed rules. Starting from scratch does sound fun, but it's easier to miss things as well.
Statistics: Posted by mkx — Sun Mar 10, 2024 11:57 am