From owner-freebsd-ipfw@FreeBSD.ORG Sun May 1 14:47:06 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 631BF16A4CE for ; Sun, 1 May 2005 14:47:06 +0000 (GMT) Received: from kira.epconline.net (kira.epconline.net [68.90.68.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC18943D49 for ; Sun, 1 May 2005 14:47:05 +0000 (GMT) (envelope-from carock@epconline.com) Received: from kira.epconline.net (localhost [127.0.0.1]) by kira.epconline.net (8.13.4/8.12.10) with ESMTP id j41El2Vg075153 for ; Sun, 1 May 2005 09:47:02 -0500 (CDT) (envelope-from carock@epconline.com) Received: from localhost (carock@localhost)j41El2oD075149 for ; Sun, 1 May 2005 09:47:02 -0500 (CDT) (envelope-from carock@epconline.com) X-Authentication-Warning: kira.epconline.net: carock owned process doing -bs Date: Sun, 1 May 2005 09:47:02 -0500 (CDT) From: Chuck Rock X-X-Sender: carock@kira.epconline.net To: freebsd-ipfw@freebsd.org Message-ID: <20050501093740.C38031@kira.epconline.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-EPC-Online-Kira-MailScanner-Information: Please contact the ISP for more information X-EPC-Online-Kira-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details X-MailScanner-From: carock@epconline.com Subject: Problem with high load on Xeon server... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 May 2005 14:47:06 -0000 I'm running FreeBSD release 5.2.1 I would like to add 61,000+ rules to ipfw. When I get to about 10,000 rules, the box's load gets real high, and stays there until I delete the rules. Has anyone actually used the 60,000+ rule numbers available. I've tried this on two different servers with similar results. One server is Dual Xeon 2.8Gig. Average load is between 1 and 2 with 7 rules in ipfw. Load goes between 17 and 28 with around 12,000 rules. The other server is dual P3-1Gig with avg. load of 1 with 7 rules. With about 9,000 rules, the load goes to 8. With 20,000 rules, the box overloaded and locked up, no kernel panic, just no keyboard,mouse,ip traffic, console screen froze, etc. Both boxes showed no excessive memory usage. Why 60,000 IP's you ask... These boxes ar ehigh traffic mail servers, and I've got an extensive sendmail access file. I wanted to keep the servers from handling so much spam by blocking the IP's of relays that failed the access list relay check. Over about one week, I have 60,000+ unique IP addresses from my logs. On one server when I was able to get about 21,000 rules in, the rate of spam dropped from 90% to about 50%, so I could really tell it was working. I just need to figure out how to drop those packets. I was also thinking of building a bridge firewall so the server wasn't doing anything but filtering packets, but after seeing that ipfw couldn't even handle half of the 65,000 rules available, I'm having second thoughts. Anyone have any ideas? Thanks, Chuck