We have an OpenBSD server acting as a firewall/QoS router (no nat or rdr).
It has two requirements:
A) It has to be as "transparent" as possible. So, if firewall is
rebooted or the state table is flushed, it don't block already
established connections or not assign the packets to the right queue.
B) It uses different queue names for "inside" and "outside" directions.
Initially, to avoid any problem with the above requirements we decided
to don't use the state table, so we added the "no state" keyword in
every "pass" rule.
Everything worked correctly, but now the traffic is increased and the
firewall's CPU usage is now at about 75%! So I'm started thinking to use
state table to reduce the CPU usage.
I'm not sure that I fully understand all the consequences of using the
state table, and as this is a "production firewall" I'd like to ask you
a couple of questions.
1) To be as "transparent" as possible, we should use the "flags any"
keyword, because with the default "flags S/SA" keyword the connections
already established would not match the "pass" rule and would be
blocked. Am I right?
2) As we use different queue names for "inside" and "outside" traffic,
every "pass" rule have a "on <interface>" parameter and specific "from"
e "to" parameters. In this situation we should use the "set state-policy
if-bound" option. Am I right?
3) In practice, we will have two separate states, one for "inside" and
one for "outside" packets. In this situation, should we use the "sloppy"
option? Or does the server "sees" every packet, so there is no problem
with normal states tracking?
Thank you.
--
___________________________________________________
__
|- [email protected]
|ederico Giannici http://www.neomedia.it
___________________________________________________
