From owner-freebsd-security Wed Sep 19 20: 4: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id DCA2F37B410; Wed, 19 Sep 2001 20:03:45 -0700 (PDT) Received: from NDNM ([195.161.98.250]) by ns.morning.ru (8.11.5/8.11.5) with ESMTP id f8K33Zd24172; Thu, 20 Sep 2001 11:03:36 +0800 (KRAST) Date: Thu, 20 Sep 2001 11:03:57 +0800 From: Igor Podlesny X-Mailer: The Bat! (v1.53d) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <9419970505.20010920110357@morning.ru> To: "Marc G. Fournier" Cc: freebsd-security@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re[2]: ipfw problems ... In-Reply-To: <20010918230726.M30377-100000@mail1.hub.org> References: <20010918230726.M30377-100000@mail1.hub.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I recently setup a box on our network, running FreeBSD 4.4-PRERELEASE, > with ipfw and dummynet to do bandwidth shaping as well as firewalling ... > The machine is a Dual PIII 733 w/1gig of RAM and 2xfxp0 devices ... > I've got an /etc/fw.rules file that has ~1200 rules in it so far, and > still have more that I want to put in, but today the machine locked up > solid ... > I ended up re-starting the machine with fw set to open, and loaded a few > rules at a time ... got up to 747 rules before the machine pretty much > ground to a halt, with the occasional keystroke going through ... > ~900 or so of the rules are purely 'pass thru' rules ... > we have two > connections to the internet ... May we know how exaclty your system is connected? Two connections usually mean two network interfaces and some specially set up routing policy, therefore the shaping could be easily done using these circumstances. So what is your situation? > one that costs us nothing, and one that > costs us quite dearly ... we want to allow all traffic that goes to sites > on the 'costs us nothing' network to go through unimpeded, while that > which goes through the 'costs us quite dearly' to be 'shaped' ... th ~900 > rules are the ones that define those b-class networks that are on the > 'costs us nothing' network ... > I'm not seeing any errors on the console to indicate a problem, it just > slowly grinds to a halt ... is there a setting in the kernel, or > somewhere, that I should be setting to allow fur such a high number of > rules, or is it just not possible to do more then a few hundred? :( > Thanks > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message