IPFW questions
From: Staffan Ulfberg (staffan_at_ulfberg.se)
Date: 06/17/04
- Previous message: Richard Neese: "atw admtek driver"
- In reply to: Richard Neese: "atw admtek driver"
- Next in thread: James: "Re: IPFW questions"
- Reply: James: "Re: IPFW questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: freebsd-net@freebsd.org Date: 17 Jun 2004 03:13:30 +0200
I sent an article similar to this a few days ago to c.u.b.freebsd.misc
but didn't get any responses, so I'll try here instead. Please bear
with the long mail... And thanks in advance for any new insights!
I have an IPFW2 firewall and would like to get a few random things
clarified/solved:
FIRST QUESTION: I'm currently filtering ip_input, ip_output, and
bdg_forward packets. What would the differnce be if I filtered
ether_demux and ether_output_frame packets instead of
ip_input/ip_output? The ipfw man page says this:
Note that as packets flow through the stack, headers can be
stripped or added to it, and so they may or may not be available
for inspection. E.g., incoming packets will include the MAC header
when ipfw is invoked from ether_demux(), but the same packets will
have the MAC header stripped off when ipfw is invoked from
ip_input().
What headers are added in ip_input/ip_output, compared to the ethernet
layer equivalents? What kind of filtering could be problematic if
trying to do all filtering on layer2 packets? I've noticed the ip
address, at least, is available, since filtering my bridged traffic
works as expected.
How about natd? Does natd assume that traffic is sent to the divert
socket from ip_input/ip_output?
SECOND QUESTION: When using IPSEC (tunnel mode), what is the flow of
packets through the firewall? My guess (that i'd like to verify) is
that when a machine on my internal network transmits a packet that is
destined to go through the ipsec tunnel, the packet gets in as usual
from fxp3, going through ether_demux and ip_input. Then, the kernel
wraps the packet inside an ESP packet, and that packets goes through
ip_output and ether_output_frame on fxp0. When receiving an ESP
packet, exactly the reverse happens: in through fxp0 ether_demux and
ip_input, unwrapped, and then out through ip_output and
ehter_output_frame on fxp3. Correct?
THIRD QUESTION: I currently use a 1100 MHz Celeron machine with a quad
dc card as a firewall. I tried switching that for a 300 MHz Geode GX1
machine with quad fxp interfaces (actually, this machine:
http://www.evalue-tech.com/evalueweb/products/specifications/ENA-540.cfm).
This doesn't work very well, however, due to bad performance.
Would your guess be that tuning the system could make it work well, or
is it obvious that the machine is too slow for the task? (I tried
ifconfig -link0 and DEVICE_POLLNING, so far without any luck...)
I'm using FreeBSD 4.10 and IPFW2 with BRIDGE and IPDIVERT (for
natd) support. It's connected like this:
Firewall
+-----------------+
| fxp1 +------ web/mail server
Internet -------+ fxp0 |
| fxp3 +------ internal network (4 machines)
+-----------------+ (10.0.3.2-10.0.3.5)
fxp0 and fxp1 are bridged. Packets to/from fxp3 are routed through
natd. All interfaces are 100 Mbps, and the Internet connection is 24
Mbps.
This is a snapshot from top, when transferring about 1mbps (total for
outgoing and incoming traffic through all ports):
CPU states: 1.5% user, 0.0% nice, 44.2% system, 54.3% interrupt, 0.0% idle
Mem: 6296K Active, 28M Inact, 11M Wired, 12K Cache, 13M Buf, 10M Free
Swap:
PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU
COMMAND
71 root 63 0 476K 328K RUN 23.6H 93.07% 93.07% natd
I've read and understand that ipfilter or pf might be faster regarding
nat, but last I checked, ipfilter could not filter bridged packets.
Has this changed, or could pf do that? As a last resort, any way of
getting ipfw and ipfilter work concurrently, with ipfw filtering the
bridged traffic, and ipfilter doing the other stuff?
FOURTH QUESTION: My server (on fxp1) complains like this, about 10
times a day:
Apr 22 12:41:47 multivac /kernel: arp: 212.247.27.202 moved from
00:80:c8:b9:1a:fa to 00:80:c8:b9:1a:f9 on fxp0
Apr 22 12:41:47 multivac /kernel: arp: 212.247.27.202 moved from
00:80:c8:b9:1a:f9 to 00:80:c8:b9:1a:fa on fxp0
(Yes, that machine too has an Intel interface--I'm saying this only
not to cause any confusion about "fxp0" in the log message.)
The ip address is my firewall's external address, and the two ethernet
addresses are the addresses of the firewall's fxp0 and fxp1. I assume
this has to do with the fact that the two interfaces are bridged, but
fxp1 does not even have an IP address... It's not a big problem in
itself, but maybe it indicates something wrong with my setup?
Staffan
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Richard Neese: "atw admtek driver"
- In reply to: Richard Neese: "atw admtek driver"
- Next in thread: James: "Re: IPFW questions"
- Reply: James: "Re: IPFW questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
