From owner-freebsd-net@FreeBSD.ORG Tue Dec 14 08:51:30 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2101616A4CE for ; Tue, 14 Dec 2004 08:51:30 +0000 (GMT) Received: from relay.bestcom.ru (relay.bestcom.ru [217.72.144.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36DEA43D49 for ; Tue, 14 Dec 2004 08:51:29 +0000 (GMT) (envelope-from glebius@freebsd.org) Received: from cell.sick.ru (root@cell.sick.ru [217.72.144.68]) by relay.bestcom.ru (8.13.1/8.12.9) with ESMTP id iBE8pQwS062348 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 14 Dec 2004 11:51:27 +0300 (MSK) (envelope-from glebius@freebsd.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.12.11/8.12.8) with ESMTP id iBE8pPWn043037 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 14 Dec 2004 11:51:26 +0300 (MSK) (envelope-from glebius@freebsd.org) Received: (from glebius@localhost) by cell.sick.ru (8.12.11/8.12.11/Submit) id iBE8pOkm043028; Tue, 14 Dec 2004 11:51:24 +0300 (MSK) (envelope-from glebius@freebsd.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@freebsd.org using -f Date: Tue, 14 Dec 2004 11:51:23 +0300 From: Gleb Smirnoff To: Luigi Rizzo Message-ID: <20041214085123.GB42820@cell.sick.ru> Mail-Followup-To: Gleb Smirnoff , Luigi Rizzo , Max Laier , freebsd-net@freebsd.org References: <20041213124051.GB32719@cell.sick.ru> <200412131743.36722.max@love2party.net> <20041213104200.A62152@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20041213104200.A62152@xorpc.icir.org> User-Agent: Mutt/1.5.6i X-Virus-Scanned: clamd / ClamAV version devel-20041013, clamav-milter version 0.75l on 127.0.0.1 X-Virus-Status: Clean cc: Max Laier cc: freebsd-net@freebsd.org Subject: Re: per-interface packet filters X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 08:51:30 -0000 Luigi, On Mon, Dec 13, 2004 at 10:42:00AM -0800, Luigi Rizzo wrote: L> I considered doing that when designing ipfw2 (implementing per-interface L> lists in addition to the global one, for backward compatibility), L> but then decided against it because 1) a simple initial switch based L> on the interface checks -- basically the way as julian suggested L> -- is very fast provided you don't have tens of interfaces (which, L> I admit, could be the case if you have many many vlans or ppp or L> ng nodes), and 2) this way you can do the initial demultiplexing L> in the most appropriate way for your configuration (e.g. based on L> protocol, interface name or type, direction, address ranges...) as L> opposed to TheOnlyWaySuppliedByTheSystem. L> L> Not that I am against adding the feature, but i think the L> performance gain is modest, and readability is not going It depends on router configuration. L> to improve a lot because you have to remember the existance L> of global and per-interface rulesets (the former are mandatory L> for backward compatibility) and the criteria for using one or L> the other or both. In the end i think it confuses ideas even more. They are not mandatory: net.inet.ip.fw.enable = 0. When one uses per-interface filters, it is suggested do not use global ones. L> If you care about readability of the packet filter configuration, L> i think you are better off spending your time building suitable L> preprocessing tools, and commenting your configurations (remember L> that // style comments can be stored in ipfw2 rules and there is L> a listing mode that shows just action+comments, not even the rule bodies, L> so you can see what the configuration is supposed to do. I know this. We have a well commented firewall scripts, we store them at RCS, we do many things to make our life easier. But my practice (and my collegues) shows that per interface filters are easier to understand and maintain when number of interfaces grows up to 20 and more, and they all are logically different - clients, servers, DMZs, hardware, nated networks, etc. Again, this feature is not for all. This is for people who build complicated routers on FreeBSD. It is not going to hurt standard host setups. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE