From owner-freebsd-isp Sat Apr 28 15:26: 6 2001 Delivered-To: freebsd-isp@freebsd.org Received: from et-gw.etinc.com (et-gw.etinc.com [207.252.1.2]) by hub.freebsd.org (Postfix) with ESMTP id EA44337B423 for ; Sat, 28 Apr 2001 15:26:02 -0700 (PDT) (envelope-from dennis@etinc.com) Received: from dbsys.etinc.com (dbsys.etinc.com [207.252.1.18]) by et-gw.etinc.com (8.9.3/8.9.3) with ESMTP id SAA07728; Sat, 28 Apr 2001 18:26:40 GMT (envelope-from dennis@etinc.com) Message-Id: <5.0.2.1.0.20010428124409.0363c350@mail.etinc.com> X-Sender: dennis@mail.etinc.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Sat, 28 Apr 2001 17:48:40 -0400 To: bsd@shell.coffey-web.net, From: Dennis Subject: Re: ipfw and ISP's. In-Reply-To: <005a01c0cfec$1303c6e0$6401a8c0@bduross> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:03 AM 04/28/2001, bsd@shell.coffey-web.net wrote: >Hello, > I am new to the list as of today. I work for a small ISP in Michigan, we >have 2 T1's out to different providers in which we run BGP on a Cisco 3640. >My question is this: We are looking for a way to filter traffic (if needed, >due to an attack or similar) inbound or outbound to our network. I believe I >could do this with a dual nic configuration on a FreeBSD machine with ipfw. >Would the machine be able to handle the traffic? and if so, what kind of >specs would you reccomend for a machine to do 3mb/s of bandwidth? We have a >DS3 coming in the soon months, would the machine be able to handle even >that? Here is a diagram (in my great ascii skills.. :/) You might want to take a look at our FreeBSD based bandwidth management solution. We now have DOS filters (packet/second filters) , as well as an HTML based firewall and bandwidth management interface. Our boxes can handle up to 100K pps and full 100Mb/s. Of course if you have 100s of rules your mileage may vary. You may also want to consider running your DS3 right into the freebsd box...You can run the DOS filters and firewall right on the HSSI line. The problem with ciscos is that the DOS may trash the cisco (particularly lower end models), so your external firewall wont help much. see www.etinc.com for info. We have a new gigabit-capable box soon to be announced for super heavy duty tasks. Dennis >2 T1's ----------->Cisco 3640 -------->FreeBSD ipfw box -------->Cisco >3500XL Switch ------>rest of network(dialupandothers) > > Is this feasuble(sp)? Would appreciate any comments or reccomendations on >this topic. > >TIA, >Brian S. DuRoss >bsd@shell.coffey-web.net > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-isp" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message