Date: Fri, 11 Jul 1997 08:47:40 -0400 (EDT) From: Drew Derbyshire <ahd@kew.com> To: freebsd-hackers@FreeBSD.ORG Subject: RFC: IPFW-DIVERT change. WAS:[ipfw rules processing order..] Message-ID: <199707111247.IAA03980@pandora.hh.kew.com>
next in thread | raw e-mail | index | archive | help
Sort of a separate issue, but ... While it depends on your plans for divert sockets, in the current motif I prefer the full ruleset be rescanned and processed. As previous noted, the simple semantics (hopefully) make it harder to confuse the user. Avoiding this additional confusion is desirable if you follow my personal rules for the use of divert rules: Inserting a divert rule for _inbound_ packets only near the top of the file. (It may be possible to limit the diverted port range, at least on my system, to 1024-65K; I have not looked at this in detail, but it would help inbound SMTP traffic.) Dropping the "setup" keyword from numerous TCP well-known port rules (WWW is most important, SMTP doesn't use its well-known port for most _outbound_ traffic.) Moving the "pass tcp from any to any established" rule after the well-known port TCP rules. Inserting the outbound packwet divert rule immediately before the above "established" rule. With this configuration on a true firewall system running both a lot of services on well-known ports and natd, natd is bypassed for the bulk of the locally generated outbound traffic with resulting lower CPU usage. Of course, no firewall with natd should be for the faint hearted. -ahd-
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199707111247.IAA03980>