# IPFW stateful rules performance



## printman (Mar 16, 2010)

Hello and sorry for my bad english 

I'm testing my new firewall configuration using FreeBSD-7.2 with GENERIC kernel.

I have following lines in rc.conf

```
ifconfig_vr0="inet 172.16.0.3 netmask 0xffff0000"
ifconfig_vr1="inet 192.168.1.108 netmask 0xffffff00"
defaultrouter="192.168.1.8"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
natd_enable="YES"
natd_interface="vr1"
natd_flags="-dynamic -m"
```

and simple IPFW configuration from Handbook

```
00002 allow ip from any to any via vr0
00003 allow ip from any to any via lo0
00100 divert 8668 ip from any to any in via vr1
00101 check-state
[B]00125 skipto 500 ip from 172.16.10.0 to any out via vr1 limit src-addr 10[/B]
00130 allow ip from me to any out via vr1 keep-state
00420 allow tcp from 172.16.10.0 to me dst-port 22 in via vr0 keep-state
00430 allow icmp from any to me
00450 deny log logamount 5 ip from any to any
00500 divert 8668 ip from any to any out via vr1
00501 allow ip from any to any
65535 deny ip from any to any
```

Then I start P2P-client on host *172.16.10.0* to generate some traffic. Everything works fine, but running tcpdump I see that single packets are not NAT'ed and sent to default gateway with real IP-address:

```
[B]test# tcpdump -n -i vr1 host 172.16.10.0[/B]
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vr1, link-type EN10MB (Ethernet), capture size 96 bytes
15:04:30.678021 IP 172.16.10.0.61972 > 77.195.187.79.49945: . ack 3659396937 win 0
15:04:30.678032 IP 172.16.10.0.61835 > 24.215.1.215.6892: . ack 1812223920 win 0
15:04:30.678083 IP 172.16.10.0.30501 > 178.161.128.26.7307: . ack 638704704 win 0
15:04:30.678174 IP 172.16.10.0.30410 > 96.255.209.125.6979: . ack 3538407393 win 0
15:04:35.677946 IP 172.16.10.0.30695 > 195.131.4.167.80: . ack 3863695978 win 0
15:04:35.677957 IP 172.16.10.0.30696 > 217.30.200.20.6688: . ack 4205907280 win 0
15:04:40.677866 IP 172.16.10.0.30712 > 24.215.1.215.8082: . ack 3863870641 win 0
15:04:40.677877 IP 172.16.10.0.30731 > 195.131.4.167.80: . ack 3878559558 win 0
```

CPU and memory usage is quite low. Removing stateful behavior from IPFW rule *00125* completely solves the problem, but is inacceptable for my future purposes. Any ideas?


----------

