From owner-freebsd-stable@FreeBSD.ORG Sun May 25 00:22:30 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B2465323 for ; Sun, 25 May 2014 00:22:30 +0000 (UTC) Received: from smtp1.bway.net (smtp1.v6.bway.net [IPv6:2607:d300:1::27]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 79A692AEE for ; Sun, 25 May 2014 00:22:30 +0000 (UTC) Received: from [10.3.2.108] (foon.sporktines.com [96.57.144.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: spork@bway.net) by smtp1.bway.net (Postfix) with ESMTPSA id E20FF9586D; Sat, 24 May 2014 20:22:18 -0400 (EDT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\)) Subject: Re: What is your favourite/best firewall on FreeBSD and why? From: Charles Sprickman In-Reply-To: <5381283C.8010005@wemm.org> Date: Sat, 24 May 2014 20:22:18 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20140520070926.GA92183@The.ie> <537FB96D.1040503@wemm.org> <542A7016-FEE2-418C-B1F1-2227378BB4C8@bway.net> <5381283C.8010005@wemm.org> To: Peter Wemm X-Mailer: Apple Mail (2.1878.2) Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 May 2014 00:22:30 -0000 On May 24, 2014, at 7:16 PM, Peter Wemm wrote: > On 5/23/14, 11:12 PM, Charles Sprickman wrote: >> On May 23, 2014, at 5:11 PM, Peter Wemm wrote: >>=20 >>> On 5/23/14, 3:04 AM, Dr Josef Karthauser wrote: >>>> On 23 May 2014, at 10:00, G. Paul Ziemba = wrote: >>>>=20 >>>>> Lucius.Rizzo@The.ie (Lucius Rizzo) writes: >>>>>=20 >>>>>> Ultimately, outside configuration differences all firewalls are = essentially >>>>>> serve the same purpose but I wonder what is your favorite and = why? If >>>>>> you were to run FreeBSD in production, which of the three would = you >>>>>> choose? IPFilter, PF or IPFW? >>>>> I switched to pf about seven months ago as I began to need to >>>>> manage bandwidth for specific classes of traffic (for example, >>>>> prevent outbound mailing list email from saturating the link >>>>> and reserve some bandwidth for interactive use). >>>>>=20 >>>>> The syntax is very close and the NAT configuration is simpler in = pf. >>>> Does the pfsync handle NAT tables. >>>> Could I use it to build a resilient carrier grade NAT solution? >>>>=20 >>> Yes, pfsync includes NAT. While we don't use NAT in the freebsd.org = cluster, we do use it on certain ipv6+rfc1918 machines and it does = handle failover / recovery transparently. We use it with carp. >>>=20 >>> Be aware that things can get a little twitchy if your switches have = an extended link-up periods. Our Juniper EX switches and ethernet = interfaces have a significant delay between 'ifconfig up' and link = established. This required some tweaks on the freebsd.org cluster but = nothing unmanageable. We probably should boot them into a hold-down = state while things stabilize and but we've taken the quick way out = rather than doing it the ideal way. >> Off-topic, but it sounds like you need the Juniper equivalent of the = Cisco =93spanning-tree portfast=94 command on your switch interfaces = that connect to end hosts. The pause you see is part of STP where the = switch port sits in learning mode from 5 to 30 seconds before going to = forwarding mode. This is important for inter-switch links, but not at = all needed when you know a port is only going to have a host plugged = into it. >>=20 >=20 > Indeed, I believe this is a legacy of when we had discrete switches = chained together. We've since switched to virtual chassis = configurations so there's only inter-switch forwarding via the = backplane. I've made a note to check this out when I'm physically = present. >=20 > But it is something to be aware of if you're using carp in this = configuration as new members will believe they are the master for a = short while and that does lead to drama as it converges. =20 Interesting. I don=92t use carp as part of a firewall setup at all = (yet), but I have a few cases where I use it for service redundancy. I = am beyond happy with how well it works in that scenario. What is the = behavior in a carp=92d firewall configuration like you=92ve described? = New host comes up, sees the port up (but forwarding is not active yet), = becomes master, and then you have a period of time after the port starts = forwarding where you have two masters - what=92s the effect here? Does = traffic using the carp IP for a gateway end up basically randomly = hitting both hosts in the pair until the =93false=94 master decides it=92s= a slave again? I assume pf acts oddly when pfsync is enabled and you = have both hosts in a pair being active. > This not a pf/carp problem though, more one that we haven't used the = available tools properly yet. It seems like it could be fixed in carp though - I mostly deal with = Cisco switches, and the delay before a port starts forwarding is a = default config. There are also those that totally recommend leaving the = STP defaults in case some junior network guy decides to plug something = into the wrong port - I believe it=92s possible to get a forwarding loop = going with =93spanning-tree portfast=94 enabled. But most server admins = are very keen on enabling the feature because no one wants to wait up to = 30 seconds for a port to come alive. If the carp initialization could = do a few checks beyond the basic port status (for example, is at least = one MAC address in the ARP table for the interface in question) and = delay initializing until knowing for certain an ethernet link is truly = =93up=94, that might make things behave a bit better in environments = like this. Someone more clever than I could probably come up with a = more elegant solution though. :) I don=92t think it would be improper = to work around the scenario you describe, as it=92s pretty common once = you move into =93enterprise=94 switching territory. Sorry for continuing the OT, but I=92m curious about what is probably a = fairly common scenario. Charles >=20 > -Peter >=20 > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to = "freebsd-stable-unsubscribe@freebsd.org"