From owner-freebsd-net@FreeBSD.ORG Thu Jun 17 01:13:55 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ABA1716A4CE for ; Thu, 17 Jun 2004 01:13:55 +0000 (GMT) Received: from multivac.fatburen.org (multivac.fatburen.org [212.247.27.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A3A543D31 for ; Thu, 17 Jun 2004 01:13:54 +0000 (GMT) (envelope-from staffan@ulfberg.se) Received: from multivac.fatburen.org (localhost [127.0.0.1]) i5H1DVZS036895 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 17 Jun 2004 03:13:31 +0200 (CEST) (envelope-from staffan@ulfberg.se) Received: (from staffanu@localhost) by multivac.fatburen.org (8.12.9p2/8.12.11/Submit) id i5H1DUGc036892; Thu, 17 Jun 2004 03:13:30 +0200 (CEST) (envelope-from staffan@ulfberg.se) Sender: staffan@ulfberg.se To: freebsd-net@freebsd.org From: Staffan Ulfberg Date: 17 Jun 2004 03:13:30 +0200 In-Reply-To: <200406161646.49893.rneese@adelphia.net> Message-ID: <87zn73kmv9.fsf@multivac.fatburen.org> Lines: 102 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, hits=-0.9 required=5.0 tests=BAYES_10 autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on multivac.fatburen.org Subject: IPFW questions X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jun 2004 01:13:55 -0000 I sent an article similar to this a few days ago to c.u.b.freebsd.misc but didn't get any responses, so I'll try here instead. Please bear with the long mail... And thanks in advance for any new insights! I have an IPFW2 firewall and would like to get a few random things clarified/solved: FIRST QUESTION: I'm currently filtering ip_input, ip_output, and bdg_forward packets. What would the differnce be if I filtered ether_demux and ether_output_frame packets instead of ip_input/ip_output? The ipfw man page says this: Note that as packets flow through the stack, headers can be stripped or added to it, and so they may or may not be available for inspection. E.g., incoming packets will include the MAC header when ipfw is invoked from ether_demux(), but the same packets will have the MAC header stripped off when ipfw is invoked from ip_input(). What headers are added in ip_input/ip_output, compared to the ethernet layer equivalents? What kind of filtering could be problematic if trying to do all filtering on layer2 packets? I've noticed the ip address, at least, is available, since filtering my bridged traffic works as expected. How about natd? Does natd assume that traffic is sent to the divert socket from ip_input/ip_output? SECOND QUESTION: When using IPSEC (tunnel mode), what is the flow of packets through the firewall? My guess (that i'd like to verify) is that when a machine on my internal network transmits a packet that is destined to go through the ipsec tunnel, the packet gets in as usual from fxp3, going through ether_demux and ip_input. Then, the kernel wraps the packet inside an ESP packet, and that packets goes through ip_output and ether_output_frame on fxp0. When receiving an ESP packet, exactly the reverse happens: in through fxp0 ether_demux and ip_input, unwrapped, and then out through ip_output and ehter_output_frame on fxp3. Correct? THIRD QUESTION: I currently use a 1100 MHz Celeron machine with a quad dc card as a firewall. I tried switching that for a 300 MHz Geode GX1 machine with quad fxp interfaces (actually, this machine: http://www.evalue-tech.com/evalueweb/products/specifications/ENA-540.cfm). This doesn't work very well, however, due to bad performance. Would your guess be that tuning the system could make it work well, or is it obvious that the machine is too slow for the task? (I tried ifconfig -link0 and DEVICE_POLLNING, so far without any luck...) I'm using FreeBSD 4.10 and IPFW2 with BRIDGE and IPDIVERT (for natd) support. It's connected like this: Firewall +-----------------+ | fxp1 +------ web/mail server Internet -------+ fxp0 | | fxp3 +------ internal network (4 machines) +-----------------+ (10.0.3.2-10.0.3.5) fxp0 and fxp1 are bridged. Packets to/from fxp3 are routed through natd. All interfaces are 100 Mbps, and the Internet connection is 24 Mbps. This is a snapshot from top, when transferring about 1mbps (total for outgoing and incoming traffic through all ports): CPU states: 1.5% user, 0.0% nice, 44.2% system, 54.3% interrupt, 0.0% idle Mem: 6296K Active, 28M Inact, 11M Wired, 12K Cache, 13M Buf, 10M Free Swap: PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 71 root 63 0 476K 328K RUN 23.6H 93.07% 93.07% natd I've read and understand that ipfilter or pf might be faster regarding nat, but last I checked, ipfilter could not filter bridged packets. Has this changed, or could pf do that? As a last resort, any way of getting ipfw and ipfilter work concurrently, with ipfw filtering the bridged traffic, and ipfilter doing the other stuff? FOURTH QUESTION: My server (on fxp1) complains like this, about 10 times a day: Apr 22 12:41:47 multivac /kernel: arp: 212.247.27.202 moved from 00:80:c8:b9:1a:fa to 00:80:c8:b9:1a:f9 on fxp0 Apr 22 12:41:47 multivac /kernel: arp: 212.247.27.202 moved from 00:80:c8:b9:1a:f9 to 00:80:c8:b9:1a:fa on fxp0 (Yes, that machine too has an Intel interface--I'm saying this only not to cause any confusion about "fxp0" in the log message.) The ip address is my firewall's external address, and the two ethernet addresses are the addresses of the firewall's fxp0 and fxp1. I assume this has to do with the fact that the two interfaces are bridged, but fxp1 does not even have an IP address... It's not a big problem in itself, but maybe it indicates something wrong with my setup? Staffan