Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Jan 2003 16:47:09 -0700
From:      Nate Williams <nate@yogotech.com>
To:        "."@babolo.ru
Cc:        Nate Williams <nate@yogotech.com>, freebsd-hackers@FreeBSD.ORG
Subject:   Re: FreeBSD firewall for high profile hosts - waste of time ?
Message-ID:  <15911.17533.490764.478803@emerger.yogotech.com>
In-Reply-To: <200301162344.h0GNiIZk002530@aaz.links.ru>
References:  <15911.15011.409213.712266@emerger.yogotech.com> <200301162344.h0GNiIZk002530@aaz.links.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
> > > Try this simple ruleset:
> > > 
> > > possible deny log tcp from any to any setup tcpoptions !mss
> > > 
> > > ipfw add allow ip from any to any out
> > > ipfw add allow ip from any to your.c.net{x,y,z,so on...}
> > > ipfw add deny log ip from any to any
> > 
> > I'd limit these to the outside interface, for performance rules.
> > 
> > # Whatever the interface is...
> > outif="fxp0"
> > ipfw add allow ip from any to any out via ${outif}
> > ipfw add allow ip from any to your.c.net{x,y,z,so on...} via ${outif}
> > ipfw add deny log ip from any to any via ${outif}
> > 
> > etc...
>
> Your above ruleset seems to be correct ... if add
> some rule for outcoming traffic.
> I was too fast and keep in mind only incoming traffic.
> 
> Effectivity depends on number of interfaces.
> If I remember right, one external and one internal.
> If such, the ruleset without interfaces defined
> for allow rules is not worse then without interfaces IMHO.

Not true.  The packets still pass through 'both' interfaces, and as such
the number of rules it must traverse is doubled (once for the internal,
one for the external).  Halving the # of ipfw rules is an easy way to
decrease the load on a CPU. :)

For most people, it makes little difference, but the user in question
has a firewall that's overloaded, so 2x decrease in the # of rules might
make the difference, since the 'load' is caused by packets that
shouldn't be getting through..


Nate

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15911.17533.490764.478803>