Re: per-interface packet filters
From: Andre Oppermann (andre_at_freebsd.org)
Date: 12/14/04
- Previous message: Andre Oppermann: "Re: per-interface packet filters [summary]"
- In reply to: Vladimir Grebenschikov: "Re: per-interface packet filters"
- Next in thread: Vladimir Grebenschikov: "Re: per-interface packet filters"
- Reply: Vladimir Grebenschikov: "Re: per-interface packet filters"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 14 Dec 2004 13:54:25 +0100 To: vova@fbsd.ru
Vladimir Grebenschikov wrote:
>
> В вт, 14/12/2004 в 11:51 +0300, Gleb Smirnoff пишет:
>
> > I know this. We have a well commented firewall scripts, we store them at RCS,
> > we do many things to make our life easier. But my practice (and my collegues)
> > shows that per interface filters are easier to understand and maintain when
> > number of interfaces grows up to 20 and more, and they all are logically
> > different - clients, servers, DMZs, hardware, nated networks, etc.
> >
> > Again, this feature is not for all. This is for people who build complicated
> > routers on FreeBSD. It is not going to hurt standard host setups.
>
> Frankly speaking, I think ppl who runs real-life router with firewall on
> fbsd will vote for this feature by both hands.
>
> I sometime, some years ago I had freebsd router with near to 100
> interfaces (mostly VLANs and FrameRelay customers connections, and
> about 10 physical media interfaces). This router transfers some
> thousands packets per second. It was real trouble to rearrange ipfw
> table with large (very large) number of jumps (especially in case when
> some number range was exceeded and renumbering required). Also most of
> router interrupt time was spent in going through client multiplexer part
> of ipfw ruleset.
>
> Gleb, please do the feature.
>
> Why we do not avoid bottlenecks where they can be avoided ?
> With that feature we can select right rules for specific interface
> without do linear search by ruleset.
It's about HOW to implement it. I think the ways proposed so far are
hackish, too complex and outside of our framework which was very well
designed and allows this kind of feature without any of the hacks and
extentions discussed here.
We have to properly DESIGN these feature instead of just hacking them
in.
> Do we what FreeBSD be used on large scale of setups or we have think
> targeting ?
As long as there is a sufficient large base we are not opposed to it.
What we are opposed at is tradeoffs which favor one particular minority
special interest over the general average interest set.
> -- off-topic --
> Days ago FreeBSD was only OS flexible and stable enough to be use in
> complex, customized network environments, but now-days it is not so :(,
> and you know why.
> -- off-topic -- (not for flame or advocacy, just emotion)
No, I don't know why and this isn't helping any.
-- Andre _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Andre Oppermann: "Re: per-interface packet filters [summary]"
- In reply to: Vladimir Grebenschikov: "Re: per-interface packet filters"
- Next in thread: Vladimir Grebenschikov: "Re: per-interface packet filters"
- Reply: Vladimir Grebenschikov: "Re: per-interface packet filters"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
