Re: IPFW questions

From: James (haesu_at_towardex.com)
Date: 06/17/04

  • Next message: Robert Watson: "Re: Intel 10GbE Driver committed" 
    Date: Thu, 17 Jun 2004 14:59:02 -0400
To: Staffan Ulfberg <staffan@ulfberg.se>

    natd is a daemon userland process which performs way poorly than a kernel
    process. its fine for small office/home use, but definately not at the traffic
    level you are pushing.

    you can consider using ipnat (kldload ipl.ko; man -a ipnat) for NAT rules, and
    use ipfw for rest of packet filtering.

    hope it helps..
    -J

    On Thu, Jun 17, 2004 at 03:13:30AM +0200, Staffan Ulfberg wrote:
    > I sent an article similar to this a few days ago to c.u.b.freebsd.misc
    > but didn't get any responses, so I'll try here instead. Please bear
    > with the long mail... And thanks in advance for any new insights!
    >
    > I have an IPFW2 firewall and would like to get a few random things
    > clarified/solved:
    >
    >
    > FIRST QUESTION: I'm currently filtering ip_input, ip_output, and
    > bdg_forward packets. What would the differnce be if I filtered
    > ether_demux and ether_output_frame packets instead of
    > ip_input/ip_output? The ipfw man page says this:
    >
    > Note that as packets flow through the stack, headers can be
    > stripped or added to it, and so they may or may not be available
    > for inspection. E.g., incoming packets will include the MAC header
    > when ipfw is invoked from ether_demux(), but the same packets will
    > have the MAC header stripped off when ipfw is invoked from
    > ip_input().
    >
    > What headers are added in ip_input/ip_output, compared to the ethernet
    > layer equivalents? What kind of filtering could be problematic if
    > trying to do all filtering on layer2 packets? I've noticed the ip
    > address, at least, is available, since filtering my bridged traffic
    > works as expected.
    >
    > How about natd? Does natd assume that traffic is sent to the divert
    > socket from ip_input/ip_output?
    >
    >
    > SECOND QUESTION: When using IPSEC (tunnel mode), what is the flow of
    > packets through the firewall? My guess (that i'd like to verify) is
    > that when a machine on my internal network transmits a packet that is
    > destined to go through the ipsec tunnel, the packet gets in as usual
    > from fxp3, going through ether_demux and ip_input. Then, the kernel
    > wraps the packet inside an ESP packet, and that packets goes through
    > ip_output and ether_output_frame on fxp0. When receiving an ESP
    > packet, exactly the reverse happens: in through fxp0 ether_demux and
    > ip_input, unwrapped, and then out through ip_output and
    > ehter_output_frame on fxp3. Correct?
    >
    >
    > THIRD QUESTION: I currently use a 1100 MHz Celeron machine with a quad
    > dc card as a firewall. I tried switching that for a 300 MHz Geode GX1
    > machine with quad fxp interfaces (actually, this machine:
    > http://www.evalue-tech.com/evalueweb/products/specifications/ENA-540.cfm).
    > This doesn't work very well, however, due to bad performance.
    >
    > Would your guess be that tuning the system could make it work well, or
    > is it obvious that the machine is too slow for the task? (I tried
    > ifconfig -link0 and DEVICE_POLLNING, so far without any luck...)
    >
    > I'm using FreeBSD 4.10 and IPFW2 with BRIDGE and IPDIVERT (for
    > natd) support. It's connected like this:
    >
    > Firewall
    > +-----------------+
    > | fxp1 +------ web/mail server
    > Internet -------+ fxp0 |
    > | fxp3 +------ internal network (4 machines)
    > +-----------------+ (10.0.3.2-10.0.3.5)
    >
    > fxp0 and fxp1 are bridged. Packets to/from fxp3 are routed through
    > natd. All interfaces are 100 Mbps, and the Internet connection is 24
    > Mbps.
    >
    > This is a snapshot from top, when transferring about 1mbps (total for
    > outgoing and incoming traffic through all ports):
    >
    > CPU states: 1.5% user, 0.0% nice, 44.2% system, 54.3% interrupt, 0.0% idle
    > Mem: 6296K Active, 28M Inact, 11M Wired, 12K Cache, 13M Buf, 10M Free
    > Swap:
    >
    > PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU
    > COMMAND
    > 71 root 63 0 476K 328K RUN 23.6H 93.07% 93.07% natd
    >
    > I've read and understand that ipfilter or pf might be faster regarding
    > nat, but last I checked, ipfilter could not filter bridged packets.
    > Has this changed, or could pf do that? As a last resort, any way of
    > getting ipfw and ipfilter work concurrently, with ipfw filtering the
    > bridged traffic, and ipfilter doing the other stuff?
    >
    >
    > FOURTH QUESTION: My server (on fxp1) complains like this, about 10
    > times a day:
    >
    > Apr 22 12:41:47 multivac /kernel: arp: 212.247.27.202 moved from
    > 00:80:c8:b9:1a:fa to 00:80:c8:b9:1a:f9 on fxp0
    > Apr 22 12:41:47 multivac /kernel: arp: 212.247.27.202 moved from
    > 00:80:c8:b9:1a:f9 to 00:80:c8:b9:1a:fa on fxp0
    >
    > (Yes, that machine too has an Intel interface--I'm saying this only
    > not to cause any confusion about "fxp0" in the log message.)
    >
    > The ip address is my firewall's external address, and the two ethernet
    > addresses are the addresses of the firewall's fxp0 and fxp1. I assume
    > this has to do with the fact that the two interfaces are bridged, but
    > fxp1 does not even have an IP address... It's not a big problem in
    > itself, but maybe it indicates something wrong with my setup?
    >
    > Staffan
    > _______________________________________________
    > freebsd-net@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-net
    > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" 

    -- 
James Jun                                            TowardEX Technologies, Inc.
Technical Lead                        Network Design, Consulting, IT Outsourcing
james@towardex.com                  Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867           web: http://www.towardex.com , noc: www.twdx.net
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
  • Next message: Robert Watson: "Re: Intel 10GbE Driver committed"

    Relevant Pages

    • Re: Sysctls for ipfw, some help please!
      ... Bridging might be required for NAT, ... Well, I've never used ipfw for MAC filtering, so take this basically as ... you can apply to those packets - in the case of ipfw, ...
      (comp.unix.bsd.freebsd.misc)
    • Re: ipfw/nated stateful rules example
      ... I found it OK for stateful rules, as long as you don't use natd! ... packets went out including the natd in the middle. ... > ipfw add allow udp from any ntp to any in recv $ext_if ... > ipfw add allow udp from any to any ntp out xmit $ext_if ...
      (freebsd-questions)
    • Re: [Full-disclosure] ICMP Security Vulnerabilities - NEW (cough)
      ... egress filtering based on the ICMP payload. ... When a host receives the request, ... >Allow the outbound echo request and inbound echo reply. ... >sender to slow down the rate it is sending packets. ...
      (Bugtraq)
    • Re: [Full-disclosure] ICMP Security Vulnerabilities - NEW (cough)
      ... egress filtering based on the ICMP payload. ... When a host receives the request, ... >Allow the outbound echo request and inbound echo reply. ... >sender to slow down the rate it is sending packets. ...
      (Full-Disclosure)
    • Re: [fw-wiz] IPTables QUEUE target equivalency in other firewalls
      ... ipfw certainly does, called divert. ... and usable by others instead or in addition to natd. ... > Netfilter/IPTables supports a target of QUEUE which delivers packets to ... > allow/drop packets in realtime. ...
      (Firewall-Wizards)