Date: Sun, 7 Sep 2003 11:27:20 -0400 From: Don Bowman <don@sandvine.com> To: 'dsa dsa' <cravietz@hotmail.com>, freebsd-ipfw@freebsd.org Subject: RE: Crippled transparent firewall Message-ID: <FE045D4D9F7AED4CBFF1B3B813C8533702742767@mail.sandvine.com>
next in thread | raw e-mail | index | archive | help
> From: dsa dsa [mailto:cravietz@hotmail.com] > > I have Freebsd 4.8 on P4 2.4, 1 gb DDR ram and two > Intel EtherPro100 (fxp0,fxp1). I have setup > transparent firewall/birdge on it. The purpose of > doing that is only to relieve cpu load of cisco router > (7200) which is getting hit pretty often by DDoS > attacks. Line carries 100 mbps. Basically it looks > like this: > > Cisco>------------<BSD>--------100mbps-------<INTERNET > > ok, now, let's put it this way..cisco is pushing about > 50mbps during off-peak hours but when i put this > BSD-based transparent firewall in front of the cisco > router it goes down to 15 mbps while the 'top' output > shows 90% idle. No firewall rules have been set so > far. > I would check netstat -m. If you are seeing denied mbufs, then i would increase NMBCLUSTERS/NMBUFS. I would check that your cisco and bsd & internet connection agree on duplex. e.g. if 1 is auto and the other is forced 100 full, the auto one will go to 100 half, which is useless :). Check for excessive collisions to see this.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FE045D4D9F7AED4CBFF1B3B813C8533702742767>