ipfw rule processing performances
Julian Elischer
julian at freebsd.org
Thu Oct 27 00:14:21 UTC 2011
On 10/26/11 2:39 PM, Michael Sierchio wrote:
> On Wed, Oct 26, 2011 at 11:39 AM, Julian Elischer<julian at freebsd.org> wrote:
>
>> read up on all the things you can do with tablearg.. sometimes a single
>> table can replace dozens of rules.
> Julian - would you be so kind as to give an example?
>
> - M
>
off the top of my head:
implement an ad-hoc RErouting table using fwd tablearg
implement entirely differnt rules for a complicated set of subnets
using skipto tablearg
arbitrarily slow down all the traffic from everyone you don't like in
the company using "lookup" and queue.
from the man page:
The tablearg argument can be used with the following
actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto
action parameters: tag, untag, rule options: limit, tagged.
and...
# addresses we don't want to be seeing coming from outside..
${fwcmd} table 1 add 10.0.0.0/8
${fwcmd} table 1 add 172.16.0.0/12
${fwcmd} table 1 add 192.168.0.0/16
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
# RESERVED-1, DHCP auto-configuration, NET-TEST, MULTICAST
(class D),
# and class E) on the outside interface
${fwcmd} table 1 add 0.0.0.0/8
${fwcmd} table 1 add 169.254.0.0/16
${fwcmd} table 1 add 192.0.2.0/24
${fwcmd} table 1 add 224.0.0.0/4
${fwcmd} table 1 add 240.0.0.0/4
More information about the freebsd-ipfw
mailing list