Date: Sun, 1 May 2005 11:10:33 -0500 (CDT) From: Chuck Rock <carock@epconline.com> To: Richard Tector <richardtector@thekeelecentre.com> Cc: freebsd-ipfw@freebsd.org Subject: RE: Problem with high load on Xeon server... Message-ID: <20050501110937.A18734@kira.epconline.net> In-Reply-To: <000001c54e62$5ab80ca0$0c01000a@RLaptop> References: <000001c54e62$5ab80ca0$0c01000a@RLaptop>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm still thinking the bridge firewall is the best route since I can effect all of my inbound servers at one point instead of loading up the rules on each individual server. I will look into the pf solution. Thanks, Chuck On Sun, 1 May 2005, Richard Tector wrote: > >Why 60,000 IP's you ask... These boxes ar ehigh traffic mail servers, and > >I've got an extensive sendmail access file. I wanted to keep the servers > >from handling so much spam by blocking the IP's of relays that failed the > >access list relay check. > > >Over about one week, I have 60,000+ unique IP addresses from my logs. > > > You might want to consider using pf which has extensive table support. I'm > not sure what the limits are on the table size, but you simply add another. > This means a minimal ruleset and table lookups are orders of magnitude > faster than rule processing. > > Ipfw now has table support. In 5.3+ at least. I don't know how quick these > are in comparison to pf however. > > The only problem with using pf is you'd ideally need to upgrade to 5.3 or > above. Perhaps rig up another box to try it on? > > Regards, > > Richard Tector > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050501110937.A18734>