Bridging Firewall Machine Questions
Ian Kaney
ikaney at crisiant.com
Fri Jan 27 02:40:47 PST 2006
Hi, thanks for the replies.
As per Chuck's request, I've lamped together the output of the suggested
commands and got the current kernel configuration and put them online for
you to take a look at and see what you think.
http://www.sisko.net/bridge/dmesg.txt
http://www.sisko.net/bridge/kernconf.txt
http://www.sisko.net/bridge/sysctl.txt
http://www.sisko.net/bridge/vmstat.txt
And finally the actual ipfw rule set I'm using:
http://www.sisko.net/bridge/ipfw.txt
Some interesting points as well that were raised. I'm currently using device
polling in the kernel configuration, but I've never personally used
interrupt coalescing or the fast-forwarding sysctl.
The rule set I have in ipfw (as above) isn't that strict or overly
complicated. It basically just states traffic can get out and blocks some
typical Trojan ports on "internal" machines. The bridge theoretically isn't
to block traffic, traffic should be able to behave normally in and out of
the network. However the bridge should give the ability be able to block
typical ports and/or certain machine IPs if they're causing issues (DoS,
etc.)
I also didn't know SMP could be slower, I thought FreeBSD 5.x had gone to
great lengths to improve the SMP performance. Would it be better to just
implement a more powerful single processor machine to do the bridging?
Dynamic rules do get generated (see ipfw rule set above) because FTP was
having issues when I started to not keep-state, etc. However I'm still not
overly sure that the rules I have are actually "keepers" as it were.
If you can give any more tips/advice with the information provided it'd be a
great help! :)
--
Ian Kaney
Mail: ikaney at crisiant.com
More information about the freebsd-questions
mailing list