Date: Thu, 16 Jan 2003 16:16:11 -0700 (MST) From: Fred Clift <fclift@verio.net> To: Josh Brooks <user@mail.econolodgetulsa.com> Cc: <freebsd-hackers@FreeBSD.ORG> Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? Message-ID: <20030116161104.T41959-100000@vespa.dmz.orem.verio.net> In-Reply-To: <20030116143937.F38599-100000@mail.econolodgetulsa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 16 Jan 2003, Josh Brooks wrote: <stuff about inserting a machine snipped> > > You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with > 256 megs ram ... and normally `top` says it is at about 80% idle, and > everything is wonderful - but when someone shoves 12,000-15,000 packets > per second down its throat, it chokes _hard_. You think that optimizing > my ruleset will change that ? Or does 15K p/s choke any freebsd+ipfw > firewall with 1-200 rules running on it ? You and I read the snipped statement differently -- I _thought_ he was saying that you should have two chained firewalls isp-fw1-fw2-<internal net> Have fw1 only do 'deny' things on attacks (with a default allow) and have fw2 do only 'allow' for valid traffic with a 'default deny' for everything else. The class of machine you are talking about can be purchased used for under $100 right now so it wouldn't be that much of an investment money-wise... In fact, fw1 could be a transparent bridge that just dropped dos stuff... Perhaps I'm wrong in my reading, but this might work anyway... Also note that much beefier iron can be purchased for under $500 if you are willing to do a bit of digging and assembly. You might also look at the network cards you have and replace them with different ones. Some driver/card combos are much more efficient than others. I dont know what you have, and I dont know which ones you should consider getting. I use intel (fxp) cards a lot and like them. Can anyone else recommend a NIC that is efficient, at least when used by FreeBSD's drivers? Fred -- Fred Clift - fclift@verio.net -- Remember: If brute force doesn't work, you're just not using enough. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030116161104.T41959-100000>