On Wed, Jul 31, 2019 at 11:48:24PM +0100, Tom Smyth wrote:
> Hi all,
> I was just wondering is there an ethtool equivalent in OpenBSD
> in particular Im interested in trying to harness some of the features
> in the xl710 and more advanced intel Ethernet chipsets where they
> allow a (limited) number of filter rules to be applied to a given network
> interface,
> example to drop high packet rate udp floods / amplification attacks
> #drop NTP responses (good and bad) inbound on interface enp134s0f0
> ethtool --config-ntuple enp134s0f0 flow-type udp4 src-port 123 action -1
> #drop DNS responses (good and bad) inbound on interface enp134s0f0
> ethtool --config-ntuple enp134s0f0 flow-type udp4 src-port 53 action -1
>
Not hardware filter features, no. But you may be interested in the
bpf(4) "filter drop" feature extended recently by dlg@, and added to
tcpdump(8), it can be useful in cases where pf(4) cannot.
https://marc.info/?l=openbsd-cvs&m=155286777331151&w=2
https://man.openbsd.org/tcpdump#B
> the benefit of using the NICs ability to filter would be to reduce the
> effects
> of a high packet rate attack against the OpenBSD router
> what way would the openBSD devs think this should be done.
> extending ifconfig ?
> or a separate tool ?
>
> It would be nice that the tools commands would be more like pf and less
> like eth tools (cause the syntax of ethtools sucks a little here)
> some downside risks of the hardware filtering offload is that is not
> immediately obvious to someone analysing the firewall rules that there is
> a hardware filter in place... perhaps this could be mitigated by some sort
> of
>
> so it might be an idea to prepend a line comment to /etc.pf.conf to give
> the sysadmin a hint that there is a hardware filter in play before the
> firewall gets
> to see the packets...
>
> any interest ? ideas? alternative view points on it ...
> Thanks for your time
>
> Tom Smyth.
>
No comments:
Post a Comment