svn commit: r202582 - head/etc/namedb

Doug Barton dougb at FreeBSD.org
Mon Jan 18 21:33:25 UTC 2010 

On 01/18/10 12:35, b. f. wrote:
>> Author: dougb
>> Date: Mon Jan 18 18:37:47 2010
>> New Revision: 202582
>> URL: http://svn.freebsd.org/changeset/base/202582
>>
>> Log:
>>  Update the example named.conf file to answer locally for the newly
>>  released IPv4 documentation ranges (http://tools.ietf.org/html/rfc5737)
>>  and catch up to the IPv6 documentation range and domain names that 5737
>>  also references.
>>
>> Modified:
>>  head/etc/namedb/named.conf
> 
> 
> What about the corresponding changes to /etc/rc.firewall?

I have no objection, however I'm not going to make the change myself for
a couple of reasons. First (and most important) being that although I
know more than the average bear about firewall configuration, I also
know that this is not my area of expertise and I'd rather let someone
who deals with this stuff on a day-to-day basis handle it. The other
reason is that I know there is ongoing work on the default IPFW stuff,
and I don't want to step on it accidentally.

Also, FWIW, I am not convinced that the _default_ firewall configuration
needs to exclude every conceivable bogon, I think a "default deny, then
let in the things you need" policy is generally the way to go, and
certainly should be the default. OTOH I do think it would be useful to
include comments that reference these kinds of things, preferably
minimal with pointers on where to go for more information. But,
unfortunately I'm not going to be the one to do it.

Finally, just to save anyone the time to ask the question, why am I
treating named.conf differently than I'm suggesting that we do with the
firewall? (I.e., why do I include all those zones in the actual conf
file?) The answer is that in the case of a local resolver there is
actual utility on the local network to having quick answers to
"questions that should not go out to the Internet" both in terms of a
better user experience (faster answers), a lower bandwidth bill, etc.
There is also a small ancillary benefit in terms of reduced garbage
traffic to the roots. (Also depending on the individual site there may
be a benefit in detecting something that is misconfigured, etc.) All
this comes at practically zero cost. Loading the same, empty zone file a
couple dozen times uses almost no extra RAM. The VSZ and RSS for named
with our default config and with the minimum necessary config are as
follows:
FreeBSD Default config:	20144  11928
Minimal config:		19120  11192

In contrast, every firewall rule has a cost associated with it. The
per-rule-per-packet cost may be very tiny, but on a busy server that
adds up fairly quickly.


hth,

Doug

-- 

	Improve the effectiveness of your Internet presence with
	a domain name makeover!    http://SupersetSolutions.com/

	Computers are useless. They can only give you answers.
			-- Pablo Picasso

More information about the freebsd-ipfw mailing list