Date: Thu, 16 Apr 2015 17:12:35 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Julian Elischer <julian@freebsd.org> Cc: hiren panchasara <hiren@strugglingcoder.info>, freebsd-ipfw@freebsd.org, nitroboost@gmail.com Subject: Re: ipfw on just inbound and not outbound Message-ID: <20150416164024.B93161@sola.nimnet.asn.au> In-Reply-To: <552F2F82.1060506@freebsd.org> References: <20150414210901.GA10620@strugglingcoder.info> <552F2F82.1060506@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 16 Apr 2015 11:41:54 +0800, Julian Elischer wrote: > On 4/15/15 5:09 AM, hiren panchasara wrote: > > Apologies if this is something silly but I want to completely eliminate > > ipfw from outgoing traffic perspective. I just want to have it on > > incoming. I can always add "allow ip from any to any out" as the first > > rule but that is still ipfw doing something. > > > > Is there a way to tell ipfw to not look at outbound traffic at all? > no > > > > OR, the rule I mentioned is the best that can be done here? > yes > > this touches on something I've been thinking of for a while.. per > interface/direction rule sets. > but that doesn't exist yet. > > you could write a kernel module that would disconnect the outgoing packet > filter hooks > but "hack" comes to mind as a description there. > > actually.... you could use the ipfw netgraph hook and only hook it up for > incoming packets, > but it would probably be not much more efficient than just having the rule, > and more complicated to set up. I'm wondering if the cost of that one rule is even worth worrying about. Hiren, you might try running iperf (ono): a) after 'ipfw disable firewall' b) after just 'ipfw add 20000 allow ip from any to any' c) after say 1000 rules before getting to (b) by such as: for i in `jot - 0 999`; do ipfw add $((i*10+1000)) count ip from any to any done to then calculate a cost per rule. Tens or hundreds of ns? Of course, whether that cost is significant depends on the sort of pps rates you're having (or hoping :) to deal with on the box in question .. > > cheers, > > Hiren > > > > ps: Please keep me cc'd as I am not subscribed. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150416164024.B93161>