From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 13 10:47:02 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B77416A4CE for ; Fri, 13 Aug 2004 10:47:02 +0000 (GMT) Received: from ctb-mesg3.saix.net (ctb-mesg3.saix.net [196.25.240.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1EAA043D45 for ; Fri, 13 Aug 2004 10:47:02 +0000 (GMT) (envelope-from savage@savage.za.org) Received: from netsphere.varynet.co.za (wblv-237-185.telkomadsl.co.za [165.165.237.185]) by ctb-mesg3.saix.net (Postfix) with ESMTP id 2AD9139F7 for ; Fri, 13 Aug 2004 12:46:57 +0200 (SAST) Received: from 192-168-0-251.ops.varynet.co.za ([192.168.0.251] helo=netphobia) by netsphere.varynet.co.za with smtp (Exim 4.34 (FreeBSD)) id 1BvZaJ-000NzW-qm for freebsd-ipfw@freebsd.org; Fri, 13 Aug 2004 12:46:56 +0200 Message-ID: <006d01c48122$e41885a0$fb00a8c0@savage.za.org> From: "Chris Knipe" To: References: <000e01c48109$063bfd20$fb00a8c0@savage.za.org> <20040813100618.GE96469@shellma.zin.lublin.pl> Date: Fri, 13 Aug 2004 12:47:12 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Spam-Score: 0.1 (/) X-Spam-Report: 0.1/5.5 Subject: Re: ipfw & skipto.... confused a bit... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Chris Knipe List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Aug 2004 10:47:02 -0000 ----- Original Message ----- From: "Pawel Malachowski" To: "Chris Knipe" Cc: Sent: Friday, August 13, 2004 12:06 PM Subject: Re: ipfw & skipto.... confused a bit... > Almost ~64k rules ruleset is weird. It's mainly allot of rules due to per IP and per Port (as well as combinations) used for traffic accounting... So most of it is ipfw count.... The number of rules will therefore also directly depend on the number of hosts on the network, as well as the actual configuration. We're kinda working on a hardware based Layer 7 firewall (using divert sockets) to kill P2P. Obviously, FreeBSD is my desired choice of OS. Traffic accounting and stats is a crucial part of the system. I mean, we must give end-users some nice fancy graphs to look at now, don't we? ;) And yes, I was not quite accurate on my numbers. After closer inspection, I saw that my rule blocks jump from 20000 to 60000 so allot is skipped. 10000-20000 is mainly reserved for accounting, and then 60000 for queues. I have moved this down to lower levels now to make the tables smaller. Thanks for all the replies... It's much appreciated -- Chris.