Date: Fri, 14 Nov 2008 10:16:27 -0800 From: Julian Elischer <julian@elischer.org> To: Bruce Evans <brde@optusnet.com.au> Cc: FreeBSD Net <freebsd-net@FreeBSD.org>, ipfw@FreeBSD.org, Ian Smith <smithi@nimnet.asn.au> Subject: Re: rc.firewall quick change Message-ID: <491DC07B.6070304@elischer.org> In-Reply-To: <20081114211043.W54700@delplex.bde.org> References: <491CD94F.3020207@elischer.org> <20081114133913.K70117@sola.nimnet.asn.au> <491D375D.1070809@elischer.org> <20081114211043.W54700@delplex.bde.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Bruce Evans wrote:
> On Fri, 14 Nov 2008, Julian Elischer wrote:
>
>> Ian Smith wrote:
>>> On Thu, 13 Nov 2008, Julian Elischer wrote:
>>> > At home I use the following change.
>>> > > > basically, instead of doing 8 rules before and after the nat,
>>> > use a table and to 1 rule on each side.
>>> > > > any objections?
>>>
>>> Only that if people are already using tables for anything, chances
>>> are they've already used table 1 (well, it's the first one I used :)
>>> How about using table 127 for this as a rather less likely prior choice?
>>
>> yes I thought of that..
>
> Separate rules provide more statistics.
true but generally people don't need to distinguish between those,
and if you do then you probably want to log them.
>
>> in fact it should be ${BLOCKTABLE} and let the user define what he
>> wants. (defaulting to 99 or something).
>
> I use shell variables giving lists of interfaces to be blocked so that
> there aren't very many rules:
>
> %%%
> rfc1918n=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
> dmanningn=0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4
>
> ${fwcmd} add deny log all from any to ${rfc1918n} via ${oif}
> ${fwcmd} add deny log all from any to ${dmanningn} via ${oif}
>
> ... (divert rule)
>
> ${fwcmd} add deny log all from ${rfc1918n} to any via ${oif}
> ${fwcmd} add deny log all from ${dmanningn} to any via ${oif}
> %%%
>
> I use separate lists mainly for documentation purposes but they also
> provide separate statistics.
>
>> Remember though that a user wouldn't be using 'simple' if he's using
>> his own tables etc.
>
> Separate rules are also simplest for documentation purposes.
>
>>> Apart from that, this will speed up 'simple' on a path every packet
>>> takes, which has to be a good thing.
>
> Are tables faster than lists of addresses? I would expect lists to be
> slightly more efficient.
I think the table is faster for mor ethan about 8 addresses (so we
are borderline) but it's be hard to test.. You however use two rules
so that would be slower.
In my sites I tend to have other stuff put in those tables too
>
> Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?491DC07B.6070304>