From owner-freebsd-hackers Thu Jan 16 15:10:28 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BEB137B401 for ; Thu, 16 Jan 2003 15:10:26 -0800 (PST) Received: from gatekeeper.oremut01.us.wh.verio.net (gatekeeper.oremut01.us.wh.verio.net [198.65.168.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1F8D43ED8 for ; Thu, 16 Jan 2003 15:10:25 -0800 (PST) (envelope-from fclift@verio.net) Received: from mx.dmz.orem.verio.net (mx.dmz.orem.verio.net [10.1.1.10]) by gatekeeper.oremut01.us.wh.verio.net (Postfix) with ESMTP id 459723BF113 for ; Thu, 16 Jan 2003 16:10:20 -0700 (MST) Received: from vespa.dmz.orem.verio.net (vespa.dmz.orem.verio.net [10.1.1.59]) by mx.dmz.orem.verio.net (8.11.6/8.11.6) with ESMTP id h0GNAJ338778; Thu, 16 Jan 2003 16:10:19 -0700 (MST) Date: Thu, 16 Jan 2003 16:16:11 -0700 (MST) From: Fred Clift X-X-Sender: To: Josh Brooks Cc: Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? In-Reply-To: <20030116143937.F38599-100000@mail.econolodgetulsa.com> Message-ID: <20030116161104.T41959-100000@vespa.dmz.orem.verio.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 16 Jan 2003, Josh Brooks wrote: > > You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with > 256 megs ram ... and normally `top` says it is at about 80% idle, and > everything is wonderful - but when someone shoves 12,000-15,000 packets > per second down its throat, it chokes _hard_. You think that optimizing > my ruleset will change that ? Or does 15K p/s choke any freebsd+ipfw > firewall with 1-200 rules running on it ? You and I read the snipped statement differently -- I _thought_ he was saying that you should have two chained firewalls isp-fw1-fw2- Have fw1 only do 'deny' things on attacks (with a default allow) and have fw2 do only 'allow' for valid traffic with a 'default deny' for everything else. The class of machine you are talking about can be purchased used for under $100 right now so it wouldn't be that much of an investment money-wise... In fact, fw1 could be a transparent bridge that just dropped dos stuff... Perhaps I'm wrong in my reading, but this might work anyway... Also note that much beefier iron can be purchased for under $500 if you are willing to do a bit of digging and assembly. You might also look at the network cards you have and replace them with different ones. Some driver/card combos are much more efficient than others. I dont know what you have, and I dont know which ones you should consider getting. I use intel (fxp) cards a lot and like them. Can anyone else recommend a NIC that is efficient, at least when used by FreeBSD's drivers? Fred -- Fred Clift - fclift@verio.net -- Remember: If brute force doesn't work, you're just not using enough. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message