Date: Wed, 21 May 2003 21:14:40 -0400 From: Chuck Swiger <cswiger@mac.com> To: Andras Kende <andras@kende.com> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw rules for low-end server?? Message-ID: <3ECC2480.8040805@mac.com> In-Reply-To: <EGEDIDPPMCIONDEPOLNFOEDMCLAA.andras@kende.com> References: <EGEDIDPPMCIONDEPOLNFOEDMCLAA.andras@kende.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Andras Kende wrote: > Have PIII-450, 386Mb FreeBSD 4.8 machine as natd gateway (2 NIC) for around > 100 computers. > > To minimize load on the machine which would be the best options?? It's very likely that your machine won't exhibit significant CPU load, at least if you have decent NICs. > Should I use ipfw "dynamic" or "stateful" rules? Given that you are doing NAT, you might try using dynamic rules (keep-state/check-state), but how you configure your firewall rules should be based more on what's simple, easy to understand, and does the job. > Also should set to kernel with: option IPFIREWALL_VERBOSE for debugging > purposes if needed but disable logging firewall_logging=NO at rc.conf ? Define something like this to limit the amount of FW loggine, but do leave logging enabled: options IPFIREWALL_VERBOSE_LIMIT=100 > I want to allow everything to go out, only 22tcp,80tcp 53udp and 25tcp > (port_forwading) to in... See /etc/rc.firewall. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ECC2480.8040805>