From owner-freebsd-questions@FreeBSD.ORG  Wed May 21 18:14:46 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 986FD37B401
	for <freebsd-questions@freebsd.org>;
	Wed, 21 May 2003 18:14:46 -0700 (PDT)
Received: from out001.verizon.net (out001pub.verizon.net [206.46.170.140])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C347343F3F
	for <freebsd-questions@freebsd.org>;
	Wed, 21 May 2003 18:14:45 -0700 (PDT)	(envelope-from cswiger@mac.com)
Received: from mac.com ([129.44.60.214]) by out001.verizon.net
          (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP
          id <20030522011445.FGPH12592.out001.verizon.net@mac.com>;
          Wed, 21 May 2003 20:14:45 -0500
Message-ID: <3ECC2480.8040805@mac.com>
Date: Wed, 21 May 2003 21:14:40 -0400
From: Chuck Swiger <cswiger@mac.com>
Organization: The Courts of Chaos
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.4b) Gecko/20030507
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Andras Kende <andras@kende.com>
References: <EGEDIDPPMCIONDEPOLNFOEDMCLAA.andras@kende.com>
In-Reply-To: <EGEDIDPPMCIONDEPOLNFOEDMCLAA.andras@kende.com>
X-Enigmail-Version: 0.75.0.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Authentication-Info: Submitted using SMTP AUTH at out001.verizon.net from
	[129.44.60.214] at Wed, 21 May 2003 20:14:44 -0500
cc: freebsd-questions@freebsd.org
Subject: Re: ipfw rules for low-end server??
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 May 2003 01:14:46 -0000

Andras Kende wrote:
> Have PIII-450, 386Mb FreeBSD 4.8 machine as natd gateway (2 NIC) for around
> 100 computers.
> 
> To minimize load on the machine which would be the best options??

It's very likely that your machine won't exhibit significant CPU load, 
at least if you have decent NICs.

> Should I use ipfw "dynamic" or "stateful" rules?

Given that you are doing NAT, you might try using dynamic rules 
(keep-state/check-state), but how you configure your firewall rules 
should be based more on what's simple, easy to understand, and does the job.

> Also should set to kernel with: option IPFIREWALL_VERBOSE for debugging
> purposes if needed but disable logging firewall_logging=NO at rc.conf ?

Define something like this to limit the amount of FW loggine, but do 
leave logging enabled:

options IPFIREWALL_VERBOSE_LIMIT=100

> I want to allow everything to go out, only 22tcp,80tcp 53udp and 25tcp
> (port_forwading) to in...

See /etc/rc.firewall.

-- 
-Chuck