Wednesday, July 31, 2019

hardware assisted ethernet filtering

Hi all,
I was just wondering is there an ethtool equivalent in OpenBSD
in particular Im interested in trying to harness some of the features
in the xl710 and more advanced intel Ethernet chipsets where they
allow a (limited) number of filter rules to be applied to a given network
interface,
example to drop high packet rate udp floods / amplification attacks
#drop NTP responses (good and bad) inbound on interface enp134s0f0
ethtool --config-ntuple enp134s0f0 flow-type udp4 src-port 123 action -1
#drop DNS responses (good and bad) inbound on interface enp134s0f0
ethtool --config-ntuple enp134s0f0 flow-type udp4 src-port 53 action -1



the benefit of using the NICs ability to filter would be to reduce the
effects
of a high packet rate attack against the OpenBSD router
what way would the openBSD devs think this should be done.
extending ifconfig ?
or a separate tool ?

It would be nice that the tools commands would be more like pf and less
like eth tools (cause the syntax of ethtools sucks a little here)
some downside risks of the hardware filtering offload is that is not
immediately obvious to someone analysing the firewall rules that there is
a hardware filter in place... perhaps this could be mitigated by some sort
of

so it might be an idea to prepend a line comment to /etc.pf.conf to give
the sysadmin a hint that there is a hardware filter in play before the
firewall gets
to see the packets...

any interest ? ideas? alternative view points on it ...
Thanks for your time

Tom Smyth.

No comments:

Post a Comment