Date: Sun, 23 Mar 2014 10:08:21 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: Julian Elischer <julian@freebsd.org> Cc: "freebsd-ipfw@freebsd.org" <ipfw@freebsd.org> Subject: Re: ipfw dynamic rules Message-ID: <CAHu1Y726yvC7isq4mxKMWsot2MSt=QOe0Q8SPf9aCf3m_RAB3w@mail.gmail.com> In-Reply-To: <532EF401.80506@freebsd.org> References: <51546.1395432085@server1.tristatelogic.com> <20140322182402.Q83569@sola.nimnet.asn.au> <201403221454.IAA22021@mail.lariat.net> <20140322151155.184d5229@gumby.homeunix.com> <532E723C.2090109@freebsd.org> <532E7398.5090607@freebsd.org> <20140324000439.F87212@sola.nimnet.asn.au> <532EF401.80506@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks, Julian, this is sort of independent confirmation of something I've been doing. I've heard folks complain about efficiency of NAT (more so when using natd/DIVERT), and then saw that they matched every packet on a nat rule - 2 or 4 times. Some things I abstract from this: Use tables for lists of addresses where there's more than 5 or so. Use skipto (judiciously) Use stateless and stateful rules appropriately Stick to some convention for tables - 13 for bogons, 0 for whitelist RFC1918 addrs, 1 for whitelist public addrs, etc. Separate processing of packets coming in versus going out <my own opinions below> I have a function in the shell script that loads tables from named files - the contents of tables change without changing the ruleset Packets not destined for "me" will be processed again when they're headed out - you can "allow ip from any to any in" after filtering for the things you do/don't want for "me" - which is the norm for a firewall router protecting internal nets. This is, of course, after early drop for traffic that is obviously "bad" Use rulesets and matching tables to permit atomic table replacement with rule swap I also do policy-based routing with setfib and table arg, which means that as conditions change, I can send traffic from a particular net out a different interface. /sbin/ipfw add set 1 05000 setfib tablearg ip from table\(1\) to any in lookup src-ip 1 NAT is something that should happen first on all packets incoming on an if and last on packets headed out an if - with few exceptions. "Last" except for a final decision to pass or deny the traffic. - M
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y726yvC7isq4mxKMWsot2MSt=QOe0Q8SPf9aCf3m_RAB3w>