Date: Sun, 02 Dec 2001 13:57:15 From: "Thor Legvold" <tlegvold@hotmail.com> To: friar_josh@webwarrior.net Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Firewall rules (ipfw) Message-ID: <F96pgDidPIOumPx3KoA0001e57b@hotmail.com>
next in thread | raw e-mail | index | archive | help
Brother Josh wrote: >Yes. ipfw is a first match wins system. The first rule that matches >gets applied to the packet and the rest of the ruleset is skipped. > That's what I thought. >My guess is that the deny log all from any to any via cable0 rule is >killing packets before they ever make it to the divert rule. You can My reasoning as well. >confirm this by looking at either the logs or the packet counters. >Typically the divert nat rule is one of the first things in the >ruleset. Yep, I've seen this. My idea was to restrict the traffic to natd to gre packets only (as nothing else should be there - the dhcp and tcp control connect. for pptp is on the cable0 iface anyway and should never get to natd), giving nat less to do and making the rest of teh ruleset a bit simpler. I suppose I could have two nat divert rules separating outgoing from incoming traffic, one allowing incoming on cable0 divcerting only gre (as all incoming to nat is gre by default) and one right after allowing all outgoing to go via natd, but I highly doubt that the system would allow that, if it did I doubt it would actually work (natd wpould probably get confused) >Trying to be efficient is always a worthwhile endevor, and crafting Thanks. >rule sets that are as efficient as possible is a good thing (TM), but Thanks. >on the other hand, a 486 can easily do nat and ipfw for a cable modem, >so I wouldn't lose too much sleep over it. Ok, back to the easy way :-) My link is more like a T1 speed (well, actualy it's 2Mb/sec) amd the FBSD server is a P3 450 with 128MB RAM, so I think it should be able to handle the traffic. I just figured that removing all non-gre traffic (at very least incoming) would both better security, improve nat/ipfw performance (lower the load) and simplify the ruleset following the nat translation. >Josh Regards, Thor _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F96pgDidPIOumPx3KoA0001e57b>