From owner-freebsd-net@freebsd.org Sat Aug 24 18:14:01 2019 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C7DCFC65C4 for ; Sat, 24 Aug 2019 18:14:01 +0000 (UTC) (envelope-from vit@otcnet.ru) Received: from mail.otcnet.ru (mail.otcnet.ru [194.190.78.3]) by mx1.freebsd.org (Postfix) with ESMTP id 46G5xh5hq0z3yM1 for ; Sat, 24 Aug 2019 18:14:00 +0000 (UTC) (envelope-from vit@otcnet.ru) Received: from Victors-MacBook-Air-2.local (unknown [195.91.148.145]) by mail.otcnet.ru (Postfix) with ESMTPSA id 030F0899E4 for ; Sat, 24 Aug 2019 21:13:51 +0300 (MSK) From: Victor Gamov Organization: OTCnet To: freebsd-net@freebsd.org Subject: finding optimal ipfw strategy Message-ID: Date: Sat, 24 Aug 2019 21:13:49 +0300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 46G5xh5hq0z3yM1 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of vit@otcnet.ru designates 194.190.78.3 as permitted sender) smtp.mailfrom=vit@otcnet.ru X-Spamd-Result: default: False [-2.59 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-0.98)[-0.980,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+a:mail.otcnet.ru]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; HAS_ORG_HEADER(0.00)[]; DMARC_NA(0.00)[otcnet.ru]; NEURAL_HAM_LONG(-1.00)[-0.996,0]; NEURAL_HAM_SHORT(-0.41)[-0.414,0]; IP_SCORE(0.00)[country: RU(0.01)]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:50822, ipnet:194.190.78.0/24, country:RU]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Aug 2019 18:14:01 -0000 Hi All I have nonstandard network task for my FreeBSD box: many VLANs bridged together via bridge interface and specific multicast traffic must be send from one VLAN to many (but not all) other VLANs. I use ipfw to block traffic on unwanted outgoing interfaces. And my answer: which ipfw rules more optimal 1 or 2 (see 1 and 2 later) when I have about 100 incoming multicast and about 100 vlans? 1 ===== ipfw table Mcast1_iface_out create type iface ipfw table Mcast1_iface_out add vlan20 ipfw table Mcast1_iface_out add vlan30 ipfw table Mcast1_iface_out add vlan40 ipfw add 25000 allow udp from IP1 to mcast1 out via table(Mcast1_iface_out) ipfw table Mcast2_iface_out create type iface ipfw table Mcast2_iface_out add vlan20 ipfw table Mcast2_iface_out add vlan30 ipfw add 35000 allow udp from IP1 to mcast2 out via table(Mcast2_iface_out) ipfw table All_vlans create type iface ipfw table All_vlans add vlan20 ipfw table All_vlans add vlan30 ipfw table All_vlans add vlan40 ipfw add 50000 deny udp from any to any via table(All_vlans) ===== 2 ===== ipfw table Mcast_vlan20_out create type addr ipfw table Mcast_vlan20_out add 232.10.20.1/32 ipfw table Mcast_vlan20_out add 232.10.20.2/32 ipfw table Mcast_vlan20_out add 232.10.20.3/32 ipfw add 25000 allow udp from IP1 to table(Mcast_vlan20_out) out via vlan20 ipfw add 25001 deny udp from any to any via vlan20 ipfw table Mcast_vlan30_out create type addr ipfw table Mcast_vlan30_out add 232.10.20.1/32 ipfw table Mcast_vlan30_out add 232.10.20.2/32 ipfw table Mcast_vlan30_out add 232.10.55.5/32 ipfw add 35000 allow udp from IP1 to table(Mcast_vlan30_out) out via vlan30 ipfw add 35001 deny udp from any to any via vlan30 ===== Thanks for your advise! -- CU, Victor Gamov