From owner-freebsd-hackers Fri Jul 11 05:47:47 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id FAA05122 for hackers-outgoing; Fri, 11 Jul 1997 05:47:47 -0700 (PDT) Received: from pandora.hh.kew.com (root@kendra.ne.mediaone.net [24.128.53.73]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA05117 for ; Fri, 11 Jul 1997 05:47:45 -0700 (PDT) Received: (from root@localhost) by pandora.hh.kew.com (8.8.5/8.8.5) id IAA03980 for freebsd-hackers@FreeBSD.ORG; Fri, 11 Jul 1997 08:47:40 -0400 (EDT) Date: Fri, 11 Jul 1997 08:47:40 -0400 (EDT) From: Drew Derbyshire Message-Id: <199707111247.IAA03980@pandora.hh.kew.com> To: freebsd-hackers@FreeBSD.ORG Subject: RFC: IPFW-DIVERT change. WAS:[ipfw rules processing order..] Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Sort of a separate issue, but ... While it depends on your plans for divert sockets, in the current motif I prefer the full ruleset be rescanned and processed. As previous noted, the simple semantics (hopefully) make it harder to confuse the user. Avoiding this additional confusion is desirable if you follow my personal rules for the use of divert rules: Inserting a divert rule for _inbound_ packets only near the top of the file. (It may be possible to limit the diverted port range, at least on my system, to 1024-65K; I have not looked at this in detail, but it would help inbound SMTP traffic.) Dropping the "setup" keyword from numerous TCP well-known port rules (WWW is most important, SMTP doesn't use its well-known port for most _outbound_ traffic.) Moving the "pass tcp from any to any established" rule after the well-known port TCP rules. Inserting the outbound packwet divert rule immediately before the above "established" rule. With this configuration on a true firewall system running both a lot of services on well-known ports and natd, natd is bypassed for the bulk of the locally generated outbound traffic with resulting lower CPU usage. Of course, no firewall with natd should be for the faint hearted. -ahd-