Date: Fri, 27 Jan 2006 10:40:22 -0000 From: "Ian Kaney" <ikaney@crisiant.com> To: "'Chuck Swiger'" <cswiger@mac.com> Cc: freebsd-questions@freebsd.org Subject: RE: Bridging Firewall Machine Questions Message-ID: <20060127104047.4B44543D49@mx1.FreeBSD.org> In-Reply-To: <43D8F4B2.5080102@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, thanks for the replies. As per Chuck's request, I've lamped together the output of the suggested commands and got the current kernel configuration and put them online for you to take a look at and see what you think. http://www.sisko.net/bridge/dmesg.txt http://www.sisko.net/bridge/kernconf.txt http://www.sisko.net/bridge/sysctl.txt http://www.sisko.net/bridge/vmstat.txt And finally the actual ipfw rule set I'm using: http://www.sisko.net/bridge/ipfw.txt Some interesting points as well that were raised. I'm currently using device polling in the kernel configuration, but I've never personally used interrupt coalescing or the fast-forwarding sysctl. The rule set I have in ipfw (as above) isn't that strict or overly complicated. It basically just states traffic can get out and blocks some typical Trojan ports on "internal" machines. The bridge theoretically isn't to block traffic, traffic should be able to behave normally in and out of the network. However the bridge should give the ability be able to block typical ports and/or certain machine IPs if they're causing issues (DoS, etc.) I also didn't know SMP could be slower, I thought FreeBSD 5.x had gone to great lengths to improve the SMP performance. Would it be better to just implement a more powerful single processor machine to do the bridging? Dynamic rules do get generated (see ipfw rule set above) because FTP was having issues when I started to not keep-state, etc. However I'm still not overly sure that the rules I have are actually "keepers" as it were. If you can give any more tips/advice with the information provided it'd be a great help! :) -- Ian Kaney Mail: ikaney@crisiant.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060127104047.4B44543D49>