Date: Tue, 14 Dec 2004 11:51:23 +0300 From: Gleb Smirnoff <glebius@freebsd.org> To: Luigi Rizzo <rizzo@icir.org> Cc: freebsd-net@freebsd.org Subject: Re: per-interface packet filters Message-ID: <20041214085123.GB42820@cell.sick.ru> In-Reply-To: <20041213104200.A62152@xorpc.icir.org> References: <20041213124051.GB32719@cell.sick.ru> <200412131743.36722.max@love2party.net> <20041213104200.A62152@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi, On Mon, Dec 13, 2004 at 10:42:00AM -0800, Luigi Rizzo wrote: L> I considered doing that when designing ipfw2 (implementing per-interface L> lists in addition to the global one, for backward compatibility), L> but then decided against it because 1) a simple initial switch based L> on the interface checks -- basically the way as julian suggested L> -- is very fast provided you don't have tens of interfaces (which, L> I admit, could be the case if you have many many vlans or ppp or L> ng nodes), and 2) this way you can do the initial demultiplexing L> in the most appropriate way for your configuration (e.g. based on L> protocol, interface name or type, direction, address ranges...) as L> opposed to TheOnlyWaySuppliedByTheSystem. L> L> Not that I am against adding the feature, but i think the L> performance gain is modest, and readability is not going It depends on router configuration. L> to improve a lot because you have to remember the existance L> of global and per-interface rulesets (the former are mandatory L> for backward compatibility) and the criteria for using one or L> the other or both. In the end i think it confuses ideas even more. They are not mandatory: net.inet.ip.fw.enable = 0. When one uses per-interface filters, it is suggested do not use global ones. L> If you care about readability of the packet filter configuration, L> i think you are better off spending your time building suitable L> preprocessing tools, and commenting your configurations (remember L> that // style comments can be stored in ipfw2 rules and there is L> a listing mode that shows just action+comments, not even the rule bodies, L> so you can see what the configuration is supposed to do. I know this. We have a well commented firewall scripts, we store them at RCS, we do many things to make our life easier. But my practice (and my collegues) shows that per interface filters are easier to understand and maintain when number of interfaces grows up to 20 and more, and they all are logically different - clients, servers, DMZs, hardware, nated networks, etc. Again, this feature is not for all. This is for people who build complicated routers on FreeBSD. It is not going to hurt standard host setups. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041214085123.GB42820>