From owner-freebsd-net@FreeBSD.ORG Tue Dec 14 09:40:07 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40AE816A4CE; Tue, 14 Dec 2004 09:40:07 +0000 (GMT) Received: from vbook.fbsd.ru (asplinux.ru [195.133.213.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id A75A143D3F; Tue, 14 Dec 2004 09:40:06 +0000 (GMT) (envelope-from vova@vbook.fbsd.ru) Received: from vova by vbook.fbsd.ru with local (Exim 4.43 (FreeBSD)) id 1Ce9A3-0001jv-P1; Tue, 14 Dec 2004 12:40:03 +0300 From: Vladimir Grebenschikov To: Gleb Smirnoff In-Reply-To: <20041214085123.GB42820@cell.sick.ru> References: <20041213124051.GB32719@cell.sick.ru> <200412131743.36722.max@love2party.net> <20041213104200.A62152@xorpc.icir.org> <20041214085123.GB42820@cell.sick.ru> Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: quoted-printable Organization: SWsoft Date: Tue, 14 Dec 2004 12:40:03 +0300 Message-Id: <1103017203.1060.25.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.0.0FreeBSD GNOME Team Port Sender: Vladimir Grebenschikov cc: Luigi Rizzo cc: freebsd-net@freebsd.org Subject: Re: per-interface packet filters X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: vova@fbsd.ru List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 09:40:07 -0000 =F7 =D7=D4, 14/12/2004 =D7 11:51 +0300, Gleb Smirnoff =D0=C9=DB=C5=D4: > I know this. We have a well commented firewall scripts, we store them at = RCS, > we do many things to make our life easier. But my practice (and my colleg= ues) > shows that per interface filters are easier to understand and maintain wh= en > number of interfaces grows up to 20 and more, and they all are logically > different - clients, servers, DMZs, hardware, nated networks, etc. >=20 > Again, this feature is not for all. This is for people who build complica= ted > routers on FreeBSD. It is not going to hurt standard host setups. Frankly speaking, I think ppl who runs real-life router with firewall on fbsd will vote for this feature by both hands. I sometime, some years ago I had freebsd router with near to 100 interfaces (mostly VLANs and FrameRelay customers connections, and about 10 physical media interfaces). This router transfers some thousands packets per second. It was real trouble to rearrange ipfw table with large (very large) number of jumps (especially in case when some number range was exceeded and renumbering required). Also most of router interrupt time was spent in going through client multiplexer part of ipfw ruleset. Gleb, please do the feature. Why we do not avoid bottlenecks where they can be avoided ?=20 With that feature we can select right rules for specific interface without do linear search by ruleset.=20 Do we what FreeBSD be used on large scale of setups or we have think targeting ?=20 -- off-topic -- Days ago FreeBSD was only OS flexible and stable enough to be use in complex, customized network environments, but now-days it is not so :(, and you know why. -- off-topic -- (not for flame or advocacy, just emotion) --=20 Vladimir B. Grebenchikov vova@fbsd.ru