finding optimal ipfw strategy
Victor Gamov
vit at otcnet.ru
Wed Aug 28 10:18:49 UTC 2019
On 28/08/2019 24:45, Eugene Grosbein wrote:
> 28.08.2019 3:59, Victor Gamov wrote:
>
>>>> sysctl.conf ===== net.link.ether.ipfw=1 net.link.bridge.ipfw=1
>>>> net.link.bridge.ipfw_arp=1 net.link.bridge.pfil_member=1
>>>>
>>>> net.inet.ip.fw.verbose_limit=100 net.inet.ip.fw.verbose=1
>>>> =====
>
>>> Do you really use ipfw filtering based on layer2 parameters like
>>> MAC addresses? If not, you should disable net.link.ether.ipfw. If
>>> yes, you should use "layer2" keyword explicily in rules filtering
>>> by ethernet headers and place these rules above others and use
>>> "allow ip from any to any layer2" after L2 filtering is done, so
>>> L2 packets do not go through other rules extra time.
>>>
>>> Do you really need to filter each bridged L3 packet twice? Once
>>> as "out xmit $bridge" and once as "out xmit $brige_member"? If
>>> not, you should disable net.link.bridge.ipfw and keep
>>> net.link.bridge.pfil_member=1 only.
>>
>> Packets must be filtered on input VLANs (bridge members) and on
>> output VLANs. So net.link.bridge.pfil_member=1
>>> Perhaps, you are ruining the performance with such settings
>>> making same work 3 times without real need. Do you really need
>>> filtering ARP? Disable net.link.bridge.ipfw_arp if not.
>> I need to drop ARP moving via bridge. As I use many VLANs all VLAN
>> must be isolated and only multicast must be bridged from one VLAN
>> to others. To block ARP following rule used: deny ip from any to
>> any mac-type 0x0806 via bridge1202 As I understand correctly I need
>> net.link.bridge.ipfw_arp and net.link.bridge.ipfw to do it. I'm
>> not sure about net.link.ether.ipfw
>
> Why do you need to filter ARP on bridge? That's unusial. VLANs are
> isolated by default and by definition, unless you explicitly enable
> inter-vlan routing and setup your routing table.
May be I have some misunderstood here but... If I have many VLANs
bridged via bridge interface then ARP received from one VLAN will be
send to all bridge members. So it will be send to all unwanted VLANs.
Is it correct?
> Anyway, you can skip entire ipfw pass over a bridge because you
> filter its members anyway, so just drop ARP coming from any vlan with
> exception of controlling one:
>
> allow ip from any to any layer2 mac-type 0x0806 in recv $controlvlan
> deny ip from any to any layer2 mac-type 0x0806 in allow ip from any
> to any layer2
>
> And then disable filtering for bridge itself altogether. Decreasing
> number of passes over ipfw should be your top priority because that's
> what can provide you with most benefit. You should even rewrite your
> ruleset if that is needed to achieve this goal.
If I set net.link.bridge.ipfw=0 but net.link.ether.ipfw and
net.link.bridge.ipfw still set to 1 is it still possible block unwanted
ARP received from one VLAN and bridged to other on outgoing VLAN like
deny ip from any to any layer2 mac-type 0x0806 out xmit MAC not $mymac any
Is it correct and more effective than net.link.bridge.ipfw=1 if I have
"deny mac-type 0x0806 via bridge" at rules top?
--
CU,
Victor Gamov
More information about the freebsd-net
mailing list