From owner-freebsd-performance@FreeBSD.ORG  Wed May 28 14:54:16 2003
Return-Path: <owner-freebsd-performance@FreeBSD.ORG>
Delivered-To: freebsd-performance@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 076C837B401
	for <freebsd-performance@freebsd.org>;
	Wed, 28 May 2003 14:54:14 -0700 (PDT)
Received: from svaha.com (svaha.com [64.46.156.67])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AAB1343F3F
	for <freebsd-performance@freebsd.org>;
	Wed, 28 May 2003 14:54:13 -0700 (PDT)
	(envelope-from meconlen@obfuscated.net)
Received: from obfuscated.net ([64.156.25.5])
  (AUTH: LOGIN meconlen, TLS: TLSv1/SSLv3,128bits,RC4-MD5)
  by svaha.com with esmtp; Wed, 28 May 2003 17:54:12 -0400
Message-ID: <3ED52FFF.3060903@obfuscated.net>
Date: Wed, 28 May 2003 17:54:07 -0400
From: Michael Conlen <meconlen@obfuscated.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
	rv:1.0.2) Gecko/20030208 Netscape/7.02
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-performance@freebsd.org
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: High performance IDS/Firewall
X-BeenThere: freebsd-performance@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Performance/tuning <freebsd-performance.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-performance>,
	<mailto:freebsd-performance-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-performance>
List-Post: <mailto:freebsd-performance@freebsd.org>
List-Help: <mailto:freebsd-performance-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-performance>,
	<mailto:freebsd-performance-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 May 2003 21:54:16 -0000

I'm considering setting up a FreeBSD firewall/IDS system to handle 
60-80Mbit/sec of traffic. The box would have three adapters, two of them 
bridging and one for access. I will place the IDS on the outside bridge 
interface and apply IPFW rules on the system as needed. My concern is 
what the failure order is if the system is under heavy load. My perfered 
order would be

snort (libpcap) drops packets and snort fails to detect
firewall fails to block
system drops packets

as it's more important for the system to be running than to identify or 
block the things we are trying to identify and block.

Is this the order things would fall over, or am I likely to cause the 
system to drop packets as soon as things get ugly.

PS: I'm considering a dual p4 2Gz 4GB of memory system, and SCSI-3 disk 
subsystem. and there's only one server on the "inside" of this network, 
so I don't think I'll have a major failure situation, unless someone 
suddenly generates over 20Mbit of DOS traffic, and those people usually 
go after the router...

--
Michael Conlen