1) Incoming UDP connections for Wireguard
Good callout, thanks! Essentially the port only needs to be open if we want other peers to establish the connection. The port can also stay closed and we can still proactively establish the tunnel from the router.
2) Order of firewall rules
I understand where you are coming from, but I think there's more nuance to it. The prerouting chain applies to all packets arriving on the network interface, so the order of rules here does impact how much processing needs to be done for each packet.
However, after a routing decision has been made, we are either processing the input, forward, or output chain, and not all at the chains at same time. So if you have a list of unsorted rules, it doesn't mean that all of them will be processed regardless of the routing decision.
After studying the documentation, I don't think you'd get a big performance gain (if any at all), if you'd group together all input, forward, and output rules. If that was the case, you'd always have the make the trade-off which ones to put first, i.e. whether you want ingress or egress traffic to be processed faster.
I think a more helpful heuristic is to consider the order of rules after they have been filtered for the respective chain.
Good callout, thanks! Essentially the port only needs to be open if we want other peers to establish the connection. The port can also stay closed and we can still proactively establish the tunnel from the router.
2) Order of firewall rules
I understand where you are coming from, but I think there's more nuance to it. The prerouting chain applies to all packets arriving on the network interface, so the order of rules here does impact how much processing needs to be done for each packet.
However, after a routing decision has been made, we are either processing the input, forward, or output chain, and not all at the chains at same time. So if you have a list of unsorted rules, it doesn't mean that all of them will be processed regardless of the routing decision.
After studying the documentation, I don't think you'd get a big performance gain (if any at all), if you'd group together all input, forward, and output rules. If that was the case, you'd always have the make the trade-off which ones to put first, i.e. whether you want ingress or egress traffic to be processed faster.
I think a more helpful heuristic is to consider the order of rules after they have been filtered for the respective chain.
Statistics: Posted by verbylab — Sat Jan 06, 2024 9:15 pm