[Oisf-users] NETMAP guide - FreeBSD /etc/rc.conf
elof2 at sentor.se
elof2 at sentor.se
Thu Apr 7 13:12:13 UTC 2016
So, I'll start with a bunch of "stupid" questions.
My intention is to put together your replies into a general wiki-page for
NETMAP.
##########################################################################
For IDS-mode (ix0 and ix1 receive mirrored traffic) I have this in my /etc/rc.conf:
# Disable unnecessary stuff (arp-learning)
# Disable lro (suricata requirement)
# Disable all hw acceleration (NETMAP requirement)
# Put interface in monitor mode to drop packets immediately after being captured
ifconfig_ix0="up -arp -lro -rxcsum -rxcsum6 monitor"
ifconfig_ix1="up -arp -lro -rxcsum -rxcsum6 monitor"
Example of running sniffer interface:
ix1: flags=488c3<UP,BROADCAST,RUNNING,NOARP,SIMPLEX,MULTICAST,MONITOR> metric 0 mtu 1500
options=8403b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO>
ether 0c:12:34:56:78:91
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
Do you think I should add anything more (or less) to /etc/rc.conf when
running suricata in IDS mode?
##########################################################################
For IPS-mode (ix0=outside and ix1=inside):
/etc/rc.conf:
ifconfig_ix0="inet 1.2.3.50 netmask 255.255.255.0 -lro -rxcsum -rxcsum6 -txcsum -txcsum6 -tso -tso6"
ifconfig_ix1="inet 10.0.0.1 netmask 255.255.255.0 -lro -rxcsum -rxcsum6 -txcsum -txcsum6 -tso -tso6"
Ex:
ix0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
ether 0c:12:34:56:78:90
inet 1.2.3.50 netmask 0xffffff00 broadcast 1.2.3.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
Do you think I should add anything more (or less) to /etc/rc.conf when
running suricata in IPS mode?
##########################################################################
(if you have any simillar examples for Linux, let me know and I'll
include them in the wiki)
/Elof
On Thu, 10 Mar 2016, elof2 at sentor.se wrote:
> Hi all, especially FreeBSD users.
>
> In the docs directory there's an old textfile for FreeBSD 8.
>
> I would greatly appreciate if the FreeBSD users merged together an updated
> textfile with hints, tips and tricks for FreeBSD 10.x/11.x, with the new
> NETMAP support.
>
>
>
> Examples of topics I'd like:
>
> What hardware (NICs) is known to work good?
>
> rc.conf
> - give examples and explain that e.g. options "-lro" and "monitor" should be
> used (for IDS mode)
>
>
> What tweaks to put in /etc/sysctl.conf (and /boot/loader.conf???).
> - net.bpf.zerocopy_enable=1 ?
> - net.bpf.maxbufsize= huge numer? How large? 15% of total RAM?
> - kern.ipc.maxsockbuf? kern.threads.max_threads_per_proc? dev.ix.0.fc=0? -
> etc
>
>
> What config/tweaks to put in suricata.yaml
> - specifically for NETMAP
> - Mapping CPUs to queues
> - recommended runmode
> - etc
>
>
>
> If you people can feed me your thoughts and experiences, I'm happy to put
> together a new textfile (FreeBSD.NETMAP.txt) for the docs dir.
>
>
>
>
> It's time to show the world that linux+PF-RING isn't the only way to go.
>
> /Elof
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
More information about the Oisf-users
mailing list