From owner-freebsd-security Tue Sep 18 21: 6:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from science.slc.edu (Science.SLC.Edu [198.83.6.248]) by hub.freebsd.org (Postfix) with ESMTP id B3E8237B43A; Tue, 18 Sep 2001 21:06:07 -0700 (PDT) Received: (from aschneid@localhost) by science.slc.edu (8.11.0/8.11.0) id f8J45Z483525; Wed, 19 Sep 2001 00:05:35 -0400 (EDT) (envelope-from aschneid) Date: Wed, 19 Sep 2001 00:05:34 -0400 From: Anthony Schneider To: "Marc G. Fournier" Cc: freebsd-security@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: ipfw problems ... Message-ID: <20010919000534.A83486@mail.slc.edu> References: <20010918134410.P87162-100000@atelier.acadiau.ca> <20010918230726.M30377-100000@mail1.hub.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010918230726.M30377-100000@mail1.hub.org>; from scrappy@hub.org on Tue, Sep 18, 2001 at 11:14:50PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org it might have something to do with the prereleasenature of the machine. -Anthony. On Tue, Sep 18, 2001 at 11:14:50PM -0400, Marc G. Fournier wrote: > > I recently setup a box on our network, running FreeBSD 4.4-PRERELEASE, > with ipfw and dummynet to do bandwidth shaping as well as firewalling ... > > The machine is a Dual PIII 733 w/1gig of RAM and 2xfxp0 devices ... > > I've got an /etc/fw.rules file that has ~1200 rules in it so far, and > still have more that I want to put in, but today the machine locked up > solid ... > > I ended up re-starting the machine with fw set to open, and loaded a few > rules at a time ... got up to 747 rules before the machine pretty much > ground to a halt, with the occasional keystroke going through ... > > ~900 or so of the rules are purely 'pass thru' rules ... we have two > connections to the internet ... one that costs us nothing, and one that > costs us quite dearly ... we want to allow all traffic that goes to sites > on the 'costs us nothing' network to go through unimpeded, while that > which goes through the 'costs us quite dearly' to be 'shaped' ... th ~900 > rules are the ones that define those b-class networks that are on the > 'costs us nothing' network ... > > I'm not seeing any errors on the console to indicate a problem, it just > slowly grinds to a halt ... is there a setting in the kernel, or > somewhere, that I should be setting to allow fur such a high number of > rules, or is it just not possible to do more then a few hundred? :( > > Thanks > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message