From owner-freebsd-questions@FreeBSD.ORG Fri Jan 27 10:40:47 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6DE116A420 for ; Fri, 27 Jan 2006 10:40:47 +0000 (GMT) (envelope-from ikaney@crisiant.com) Received: from jemmy.itsevolution.net (342945.ds.nac.net [66.246.218.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B44543D49 for ; Fri, 27 Jan 2006 10:40:47 +0000 (GMT) (envelope-from ikaney@crisiant.com) Received: from UnknownHost [195.8.175.130] by jemmy.itsevolution.net with SMTP; Fri, 27 Jan 2006 10:40:30 +0000 From: "Ian Kaney" To: "'Chuck Swiger'" Date: Fri, 27 Jan 2006 10:40:22 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Thread-Index: AcYiky0rRWMa+FJDQq6Mq0rC798YQwAmZEMA In-Reply-To: <43D8F4B2.5080102@mac.com> Message-Id: <20060127104047.4B44543D49@mx1.FreeBSD.org> Cc: freebsd-questions@freebsd.org Subject: RE: Bridging Firewall Machine Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ikaney@crisiant.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2006 10:40:47 -0000 Hi, thanks for the replies. As per Chuck's request, I've lamped together the output of the suggested commands and got the current kernel configuration and put them online for you to take a look at and see what you think. http://www.sisko.net/bridge/dmesg.txt http://www.sisko.net/bridge/kernconf.txt http://www.sisko.net/bridge/sysctl.txt http://www.sisko.net/bridge/vmstat.txt And finally the actual ipfw rule set I'm using: http://www.sisko.net/bridge/ipfw.txt Some interesting points as well that were raised. I'm currently using device polling in the kernel configuration, but I've never personally used interrupt coalescing or the fast-forwarding sysctl. The rule set I have in ipfw (as above) isn't that strict or overly complicated. It basically just states traffic can get out and blocks some typical Trojan ports on "internal" machines. The bridge theoretically isn't to block traffic, traffic should be able to behave normally in and out of the network. However the bridge should give the ability be able to block typical ports and/or certain machine IPs if they're causing issues (DoS, etc.) I also didn't know SMP could be slower, I thought FreeBSD 5.x had gone to great lengths to improve the SMP performance. Would it be better to just implement a more powerful single processor machine to do the bridging? Dynamic rules do get generated (see ipfw rule set above) because FTP was having issues when I started to not keep-state, etc. However I'm still not overly sure that the rules I have are actually "keepers" as it were. If you can give any more tips/advice with the information provided it'd be a great help! :) -- Ian Kaney Mail: ikaney@crisiant.com