Re: [Bsdrp-users] Chelsio T5 firewall

Sun, 07 Mar 2021 09:16:06 -0800 

Hi,
    I am using the T5 firewall features on FreeBSD 11 and 12 in
production and it works great! 

On 3/7/2021 10:41 AM, Lyubomir Yotov wrote:
> - is it safe to add rules on the fly in BSDRP?
I add and remove rules on the fly all the time.
> - is it safe to implement drop only rules on a production server
> without breaking the other traffic (should I have an allow-all in the
> end)?
> I would like to test dropping all packets incoming on cxl0 from any
> host to host 192.168.1.122 with destination port 23. I suppose a rule
> like the following will do the job:
>
> #cxgbetool t5nex0 filter 10 iport 0 action drop dip 192.168.1.122
> dport 23
>
Careful of the orientation. If you have 2 ports, the iport makes a
difference as to whether the rule gets hit or not.


> If I want this persistent I should create a script probably and start
> it with the system boot?
Yes. I have yet to come up with a nice interface to do this. For some
strange reason, cxgbetool displays IP addresses in HEX ?!?
> How many rules can I plug in?

I am not sure, but I think

dev.t5nex.0.nfilters: number of filters

shows the limit ? I have 20 on one box that handles about 1Gb/s of
packet forwarding. Under DDoS it sees 5-8 and nicely drops those packets
and normal traffic flows unhindered.

I also have

hw.cxgbe.attack_filter="1"
hw.cxgbe.drop_pkts_with_l3_errors="1"

as I often see corrupted packets as part of the DDoS, so I just drop
those anyways.  The packets do show up in the NIC counters, so if you
are using graphana/cacti to monitor bandwidth, you will see them as part
of the traffic counts.

I run this every 5min and then graph it on cacti to keep track of how
much is dropped on the box. Its kinda depressing how much RFC1918 and
Bogon traffic gets dropped :(

/usr/sbin/cxgbetool t5nex0 filter list | /usr/bin/grep -v Hits |
/usr/bin/awk '{ sum+=$2;} END{print sum;}' > /var/run/filter-stats.log


    ---Mike


>
> Regards,
> Lyubomir
>
>
> _______________________________________________
> Bsdrp-users mailing list
> Bsdrp-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bsdrp-users



_______________________________________________
Bsdrp-users mailing list
Bsdrp-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bsdrp-users

Reply via email to