Re: rc.firewall quick change

Fri, 14 Nov 2008 10:16:54 -0800 

Bruce Evans wrote:

On Fri, 14 Nov 2008, Julian Elischer wrote:


Ian Smith wrote:

On Thu, 13 Nov 2008, Julian Elischer wrote:
 > At home I use the following change.
 >  >  > basically, instead of doing 8 rules before and after the nat,
 > use a table and to 1 rule on each side.
 >  >  > any objections?
Only that if people are already using tables for anything, chances are they've already used table 1 (well, it's the first one I used :) How about using table 127 for this as a rather less likely prior choice? 

yes I thought of that..


Separate rules provide more statistics.


true but generally people don't need to distinguish between those,
and if you do then you probably want to log them.
in fact it should be ${BLOCKTABLE} and let the user define what he wants. (defaulting to 99 or something). 

I use shell variables giving lists of interfaces to be blocked so that
there aren't very many rules:

%%%
rfc1918n=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
dmanningn=0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4

${fwcmd} add deny log all from any to ${rfc1918n} via ${oif}
${fwcmd} add deny log all from any to ${dmanningn} via ${oif}

... (divert rule)

${fwcmd} add deny log all from ${rfc1918n} to any via ${oif}
${fwcmd} add deny log all from ${dmanningn} to any via ${oif}
%%%

I use separate lists mainly for documentation purposes but they also
provide separate statistics.
Remember though that a user wouldn't be using 'simple' if he's using his own tables etc. 

Separate rules are also simplest for documentation purposes.
Apart from that, this will speed up 'simple' on a path every packet takes, which has to be a good thing. 

Are tables faster than lists of addresses?  I would expect lists to be
slightly more efficient.


I think the table is faster for mor ethan about 8 addresses (so we
are borderline) but it's be hard to test..  You however use two rules
so that would be slower.

In my sites I tend to have other stuff put in those tables too




Bruce


_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to