[OpenIndiana-discuss] Routing and avahi questions

[James Carlson]

Gary Gendel wrote:
> I have my OpenIndiana box providing wan/lan routing with firewall/nat. 
> I was having some really slow wan performance so I started digging in. 
> The performance issue was a compromised user account and a machine on
> the internet downloading everything from the account, pegging my upload
> bandwidth quota.
> 
> However, in my investigations, I've noticed a few things that was
> wondering about...
> 
> Using snoop, I'm seeing a steady flood of ARP request broadcast from my
> ISP.  As I only have one IP address/MAC allowed does it make sense to
> filter out the "not-for-me" requests or doesn't it really matter?  Is
> there even a way to do this without breaking the WAN-side?

I think that it's likely to be more work to filter these out than it is
to let the system properly discard them as part of ARP processing.  And
if the filtering is not done right, there are certainly some correctness
risks involved -- a "not for me" query that nonetheless indicates a
source IP/mac mapping change actually must be processed, at least per
the RFCs.

But it's your machine.  If you can figure a way to filter them, and if
you can measure the result and show that it's worthwhile, go for it.  I
just think you're barking up the wrong tree.

> The second question is that I noticed that Avahi has bound itself to
> both my WAN and LAN nics.  Is there a way to limit this to the LAN nic? 
> Does mdns have a similar issue?  I discovered this by running "bssh" and
> seeing the service both on my bge0 (WAN) and bge1 (LAN) nics.

These should be the same thing -- just block UDP port 5353 in the places
where you don't want Avahi/mDNS stuff to leak.

-- 
James Carlson         42.703N 71.076W         <carlsonj at workingcode.com>