Date: Mon, 31 Jul 2000 00:38:10 -0400 (EDT) From: Siobhan Patricia Lynch <trish@bsdunix.net> To: Bill Fumerola <billf@chimesnet.com> Cc: Miklos Niedermayer <mico@bsd.hu>, Mike Hoskins <mike@adept.org>, Darren Reed <avalon@coombs.anu.edu.au>, Pavol Adamec <pavol_adamec@tempest.sk>, freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) Message-ID: <Pine.BSO.4.21.0007310023400.21752-100000@superconductor.rush.net> In-Reply-To: <20000731000537.X5021@jade.chc-chimes.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 31 Jul 2000, Bill Fumerola wrote: > On Sun, Jul 30, 2000 at 11:48:14PM -0400, Siobhan Patricia Lynch wrote: > > heh, remember which sites we are running with ipfw in front of it? > > > > maybe theres a problem when its all on the same box ;) > > it's so much fun when we talk in generalities, but know the specifics. > ahaha, yeah, well, I dunno why I'm so weird about saying that I work at VA Linux <as a hush falls over the crowd> > just an example, though using cheezy "benchmarks" lo0 and fetch, > > only default allow rule: 16MBps > 1000 ip count (no looking into the tcp udp icmp etc): 4MBps > > I have the hardware setup right now to start doing real benchmarks > and try to make a difference, but ipfw's design doesn't lend itself > to large amounts of rules. I would almost agree with this, I'm pretty much allowing by default and disallowing to specific IP's depending on what it is. With the three layer (cisco router access-list, ipfw, and the arrowpoint) I don;t have to do much other than shield the arrowpoint from certain types of traffic that I've noticed tend to upset it. that being said, slashdot, freshmeat, thinkgeek, and animfactory have all been fairly happy since moving to exodus (except when someone puts test code on the live site, ugh) > > Just so Darren doesn't have to say it: maybe I should spend my time > looking into ipfilter instead of trying to hack ipfw. > it definitely depends on what you are doing, in my case ipfw was pretty much the *only* choice. > -- > Bill Fumerola - Network Architect, BOFH / Chimes, Inc. > billf@chimesnet.com / billf@FreeBSD.org > > > __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSO.4.21.0007310023400.21752-100000>