From owner-freebsd-hackers  Thu Jan 16 14:42:16 2003
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1824D37B401
	for <freebsd-hackers@FreeBSD.ORG>; Thu, 16 Jan 2003 14:42:14 -0800 (PST)
Received: from mail.econolodgetulsa.com (mail.econolodgetulsa.com [198.78.66.163])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9C03A43F13
	for <freebsd-hackers@FreeBSD.ORG>; Thu, 16 Jan 2003 14:42:13 -0800 (PST)
	(envelope-from user@mail.econolodgetulsa.com)
Received: from mail (user@mail [198.78.66.163])
	by mail.econolodgetulsa.com (8.12.3/8.12.3) with ESMTP id h0GMgDZb082473;
	Thu, 16 Jan 2003 14:42:13 -0800 (PST)
	(envelope-from user@mail.econolodgetulsa.com)
Date: Thu, 16 Jan 2003 14:42:13 -0800 (PST)
From: Josh Brooks <user@mail.econolodgetulsa.com>
To: Matthew Dillon <dillon@apollo.backplane.com>
Cc: Nate Williams <nate@yogotech.com>, <freebsd-hackers@FreeBSD.ORG>
Subject: Re: FreeBSD firewall for high profile hosts - waste of time ?
In-Reply-To: <200301162226.h0GMQqMQ024451@apollo.backplane.com>
Message-ID: <20030116143937.F38599-100000@mail.econolodgetulsa.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

>
>     If attacks are a predominant problem for you, I recommend sticking a
>     machine in between your internet connection and everything else whos

Actually this is what I already do - my ISP does all the routing, and it
feeds in one interface of my freebsd machine, and everything else is on
the other side of the freebsd machine.

My freebsd machine does _nothing_ but filter packets and run ssh.

>     ONLY purpose is to deal with attacks.  With an entire cpu dedicated
>     to dealing with attacks you aren't likely to run out of CPU suds (at least
>     not before your attackers fills your internet pipe).  This allows you
>     to use more reasonable rulesets on your other machines.

You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with
256 megs ram ... and normally `top` says it is at about 80% idle, and
everything is wonderful - but when someone shoves 12,000-15,000 packets
per second down its throat, it chokes _hard_.  You think that optimizing
my ruleset will change that ?  Or does 15K p/s choke any freebsd+ipfw
firewall with 1-200 rules running on it ?

thanks.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message