Date: Tue, 18 Sep 2001 22:23:28 -0700 From: Julian Elischer <julian@elischer.org> To: "Marc G. Fournier" <scrappy@hub.org> Cc: freebsd-security@freebsd.org, freebsd-net@freebsd.org Subject: Re: ipfw problems ... Message-ID: <3BA82BD0.67F490B4@elischer.org> References: <20010918230726.M30377-100000@mail1.hub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
"Marc G. Fournier" wrote: > > I recently setup a box on our network, running FreeBSD 4.4-PRERELEASE, > with ipfw and dummynet to do bandwidth shaping as well as firewalling ... > > The machine is a Dual PIII 733 w/1gig of RAM and 2xfxp0 devices ... > > I've got an /etc/fw.rules file that has ~1200 rules in it so far, and > still have more that I want to put in, but today the machine locked up > solid ... > > I ended up re-starting the machine with fw set to open, and loaded a few > rules at a time ... got up to 747 rules before the machine pretty much > ground to a halt, with the occasional keystroke going through ... > > ~900 or so of the rules are purely 'pass thru' rules ... we have two > connections to the internet ... one that costs us nothing, and one that > costs us quite dearly ... we want to allow all traffic that goes to sites > on the 'costs us nothing' network to go through unimpeded, while that > which goes through the 'costs us quite dearly' to be 'shaped' ... th ~900 > rules are the ones that define those b-class networks that are on the > 'costs us nothing' network ... > > I'm not seeing any errors on the console to indicate a problem, it just > slowly grinds to a halt ... is there a setting in the kernel, or > somewhere, that I should be setting to allow fur such a high number of > rules, or is it just not possible to do more then a few hundred? :( > > Thanks IPFW is a linear search. you can however use 'skipto ' to good effect to get around this.. you can produce a decision tree by filtering left or right on one address bit (or something) so that each packet traverses a lot less that 747 rules. (probably about 10) > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message -- +------------------------------------+ ______ _ __ | __--_|\ Julian Elischer | \ U \/ / hard at work in | / \ julian@elischer.org +------>x USA \ a very strange | ( OZ ) \___ ___ | country ! +- X_.---._/ presently in San Francisco \_/ \\ v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BA82BD0.67F490B4>