From owner-freebsd-net@FreeBSD.ORG Fri Nov 14 18:16:27 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DBD8C106567A; Fri, 14 Nov 2008 18:16:27 +0000 (UTC) (envelope-from prvs=julian=1973cfe30@elischer.org) Received: from smtp-outbound.ironport.com (smtp-outbound.ironport.com [63.251.108.112]) by mx1.freebsd.org (Postfix) with ESMTP id C8E298FC13; Fri, 14 Nov 2008 18:16:27 +0000 (UTC) (envelope-from prvs=julian=1973cfe30@elischer.org) Received: from jelischer-laptop.sfo.ironport.com (HELO julian-mac.elischer.org) ([10.251.22.38]) by smtp-outbound.ironport.com with ESMTP; 14 Nov 2008 10:16:28 -0800 Message-ID: <491DC07B.6070304@elischer.org> Date: Fri, 14 Nov 2008 10:16:27 -0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: Bruce Evans References: <491CD94F.3020207@elischer.org> <20081114133913.K70117@sola.nimnet.asn.au> <491D375D.1070809@elischer.org> <20081114211043.W54700@delplex.bde.org> In-Reply-To: <20081114211043.W54700@delplex.bde.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Net , ipfw@FreeBSD.org, Ian Smith Subject: Re: rc.firewall quick change X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2008 18:16:28 -0000 Bruce Evans wrote: > On Fri, 14 Nov 2008, Julian Elischer wrote: > >> Ian Smith wrote: >>> On Thu, 13 Nov 2008, Julian Elischer wrote: >>> > At home I use the following change. >>> > > > basically, instead of doing 8 rules before and after the nat, >>> > use a table and to 1 rule on each side. >>> > > > any objections? >>> >>> Only that if people are already using tables for anything, chances >>> are they've already used table 1 (well, it's the first one I used :) >>> How about using table 127 for this as a rather less likely prior choice? >> >> yes I thought of that.. > > Separate rules provide more statistics. true but generally people don't need to distinguish between those, and if you do then you probably want to log them. > >> in fact it should be ${BLOCKTABLE} and let the user define what he >> wants. (defaulting to 99 or something). > > I use shell variables giving lists of interfaces to be blocked so that > there aren't very many rules: > > %%% > rfc1918n=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 > dmanningn=0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 > > ${fwcmd} add deny log all from any to ${rfc1918n} via ${oif} > ${fwcmd} add deny log all from any to ${dmanningn} via ${oif} > > ... (divert rule) > > ${fwcmd} add deny log all from ${rfc1918n} to any via ${oif} > ${fwcmd} add deny log all from ${dmanningn} to any via ${oif} > %%% > > I use separate lists mainly for documentation purposes but they also > provide separate statistics. > >> Remember though that a user wouldn't be using 'simple' if he's using >> his own tables etc. > > Separate rules are also simplest for documentation purposes. > >>> Apart from that, this will speed up 'simple' on a path every packet >>> takes, which has to be a good thing. > > Are tables faster than lists of addresses? I would expect lists to be > slightly more efficient. I think the table is faster for mor ethan about 8 addresses (so we are borderline) but it's be hard to test.. You however use two rules so that would be slower. In my sites I tend to have other stuff put in those tables too > > Bruce