Why are the following rules in raw prerouting iptables? Unless I am mistaken, this would cause every packet to have to go through these CPU heavy rules. Shouldn’t these rules go into filter chain after conntrack, so that only new connections are checked? Not all packets for new and established connections like they would be in raw prerouting.
Hello, this modified /etc/firewalld/direct.xml file seems to work but could probably be improved further. This still does not isolate SIP ports but still a big improvement imo. Should reduce load and improve latency for everyone. Should reduce load and improve throughput considerably on really busy servers.