Date: Tue, 18 Sep 2001 22:23:28 -0700 From: Julian Elischer <julian@elischer.org> To: "Marc G. Fournier" <scrappy@hub.org> Cc: freebsd-security@freebsd.org, freebsd-net@freebsd.org Subject: Re: ipfw problems ... Message-ID: <3BA82BD0.67F490B4@elischer.org> References: <20010918230726.M30377-100000@mail1.hub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
"Marc G. Fournier" wrote:
>
> I recently setup a box on our network, running FreeBSD 4.4-PRERELEASE,
> with ipfw and dummynet to do bandwidth shaping as well as firewalling ...
>
> The machine is a Dual PIII 733 w/1gig of RAM and 2xfxp0 devices ...
>
> I've got an /etc/fw.rules file that has ~1200 rules in it so far, and
> still have more that I want to put in, but today the machine locked up
> solid ...
>
> I ended up re-starting the machine with fw set to open, and loaded a few
> rules at a time ... got up to 747 rules before the machine pretty much
> ground to a halt, with the occasional keystroke going through ...
>
> ~900 or so of the rules are purely 'pass thru' rules ... we have two
> connections to the internet ... one that costs us nothing, and one that
> costs us quite dearly ... we want to allow all traffic that goes to sites
> on the 'costs us nothing' network to go through unimpeded, while that
> which goes through the 'costs us quite dearly' to be 'shaped' ... th ~900
> rules are the ones that define those b-class networks that are on the
> 'costs us nothing' network ...
>
> I'm not seeing any errors on the console to indicate a problem, it just
> slowly grinds to a halt ... is there a setting in the kernel, or
> somewhere, that I should be setting to allow fur such a high number of
> rules, or is it just not possible to do more then a few hundred? :(
>
> Thanks
IPFW is a linear search.
you can however use 'skipto ' to good effect to get around this..
you can produce a decision tree by filtering left or right on one address bit
(or something) so that each packet traverses a lot less that 747 rules.
(probably about 10)
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
--
+------------------------------------+ ______ _ __
| __--_|\ Julian Elischer | \ U \/ / hard at work in
| / \ julian@elischer.org +------>x USA \ a very strange
| ( OZ ) \___ ___ | country !
+- X_.---._/ presently in San Francisco \_/ \\
v
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BA82BD0.67F490B4>