ipfw on just inbound and not outbound
Ian Smith
smithi at nimnet.asn.au
Thu Apr 16 07:31:11 UTC 2015
On Thu, 16 Apr 2015 11:41:54 +0800, Julian Elischer wrote:
> On 4/15/15 5:09 AM, hiren panchasara wrote:
> > Apologies if this is something silly but I want to completely eliminate
> > ipfw from outgoing traffic perspective. I just want to have it on
> > incoming. I can always add "allow ip from any to any out" as the first
> > rule but that is still ipfw doing something.
> >
> > Is there a way to tell ipfw to not look at outbound traffic at all?
> no
> >
> > OR, the rule I mentioned is the best that can be done here?
> yes
>
> this touches on something I've been thinking of for a while.. per
> interface/direction rule sets.
> but that doesn't exist yet.
>
> you could write a kernel module that would disconnect the outgoing packet
> filter hooks
> but "hack" comes to mind as a description there.
>
> actually.... you could use the ipfw netgraph hook and only hook it up for
> incoming packets,
> but it would probably be not much more efficient than just having the rule,
> and more complicated to set up.
I'm wondering if the cost of that one rule is even worth worrying about.
Hiren, you might try running iperf (ono):
a) after 'ipfw disable firewall'
b) after just 'ipfw add 20000 allow ip from any to any'
c) after say 1000 rules before getting to (b) by such as:
for i in `jot - 0 999`; do
ipfw add $((i*10+1000)) count ip from any to any
done
to then calculate a cost per rule. Tens or hundreds of ns?
Of course, whether that cost is significant depends on the sort of pps
rates you're having (or hoping :) to deal with on the box in question ..
> > cheers,
> > Hiren
> >
> > ps: Please keep me cc'd as I am not subscribed.
cheers, Ian
More information about the freebsd-ipfw
mailing list