[Oisf-users] NETMAP guide - FreeBSD /etc/rc.conf

Shirkdog shirkdog at gmail.com
Thu Apr 7 13:15:02 UTC 2016 

>From a pure FreeBSD/Netmap perspective, I would document the specific
version of FreeBSD in your write up that these configurations worked
with Netmap. FreeBSD 11 will have Netmap enabled by default.

---
Michael Shirk


On Thu, Apr 7, 2016 at 9:12 AM,  <elof2 at sentor.se> wrote:
>
> So, I'll start with a bunch of "stupid" questions.
> My intention is to put together your replies into a general wiki-page for
> NETMAP.
>
>
> ##########################################################################
>
>
> For IDS-mode (ix0 and ix1 receive mirrored traffic) I have this in my
> /etc/rc.conf:
>   # Disable unnecessary stuff (arp-learning)
>   # Disable lro (suricata requirement)
>   # Disable all hw acceleration (NETMAP requirement)
>   # Put interface in monitor mode to drop packets immediately after being
> captured
>   ifconfig_ix0="up -arp -lro -rxcsum -rxcsum6 monitor"
>   ifconfig_ix1="up -arp -lro -rxcsum -rxcsum6 monitor"
>
>
> Example of running sniffer interface:
> ix1: flags=488c3<UP,BROADCAST,RUNNING,NOARP,SIMPLEX,MULTICAST,MONITOR>
> metric 0 mtu 1500
>
> options=8403b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO>
>         ether 0c:12:34:56:78:91
>         nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>         media: Ethernet autoselect (10Gbase-T <full-duplex>)
>         status: active
>
>
>
> Do you think I should add anything more (or less) to /etc/rc.conf when
> running suricata in IDS mode?
>
>
>
> ##########################################################################
>
>
>
> For IPS-mode (ix0=outside and ix1=inside):
> /etc/rc.conf:
>   ifconfig_ix0="inet 1.2.3.50 netmask 255.255.255.0 -lro -rxcsum -rxcsum6
> -txcsum -txcsum6 -tso -tso6"
>   ifconfig_ix1="inet 10.0.0.1 netmask 255.255.255.0 -lro -rxcsum -rxcsum6
> -txcsum -txcsum6 -tso -tso6"
>
> Ex:
> ix0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>
> options=8400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
>         ether 0c:12:34:56:78:90
>         inet 1.2.3.50 netmask 0xffffff00 broadcast 1.2.3.255
>         nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>         media: Ethernet autoselect (10Gbase-T <full-duplex>)
>         status: active
>
>
> Do you think I should add anything more (or less) to /etc/rc.conf when
> running suricata in IPS mode?
>
>
>
> ##########################################################################
>
>
>
> (if you have any simillar examples for Linux, let me know and I'll include
> them in the wiki)
>
> /Elof
>
>
>
>
> On Thu, 10 Mar 2016, elof2 at sentor.se wrote:
>
>> Hi all, especially FreeBSD users.
>>
>> In the docs directory there's an old textfile for FreeBSD 8.
>>
>> I would greatly appreciate if the FreeBSD users merged together an updated
>> textfile with hints, tips and tricks for FreeBSD 10.x/11.x, with the new
>> NETMAP support.
>>
>>
>>
>> Examples of topics I'd like:
>>
>> What hardware (NICs) is known to work good?
>>
>> rc.conf
>> - give examples and explain that e.g. options "-lro" and "monitor" should
>> be used (for IDS mode)
>>
>>
>> What tweaks to put in /etc/sysctl.conf (and /boot/loader.conf???).
>> - net.bpf.zerocopy_enable=1 ?
>> - net.bpf.maxbufsize= huge numer? How large? 15% of total RAM?
>> - kern.ipc.maxsockbuf? kern.threads.max_threads_per_proc? dev.ix.0.fc=0? -
>> etc
>>
>>
>> What config/tweaks to put in suricata.yaml
>> - specifically for NETMAP
>> - Mapping CPUs to queues
>> - recommended runmode
>> - etc
>>
>>
>>
>> If you people can feed me your thoughts and experiences, I'm happy to put
>> together a new textfile (FreeBSD.NETMAP.txt) for the docs dir.
>>
>>
>>
>>
>> It's time to show the world that linux+PF-RING isn't the only way to go.
>>
>> /Elof
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC:
>> http://oisfevents.net
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net

More information about the Oisf-users mailing list