From owner-freebsd-hackers Thu Jan 16 15:52:58 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8871E37B401 for ; Thu, 16 Jan 2003 15:52:57 -0800 (PST) Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id C09BD43EB2 for ; Thu, 16 Jan 2003 15:52:56 -0800 (PST) (envelope-from nate@yogotech.com) Received: from emerger.yogotech.com (emerger.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id QAA01220; Thu, 16 Jan 2003 16:52:50 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by emerger.yogotech.com (8.12.6/8.12.6) id h0GNqowC069835; Thu, 16 Jan 2003 16:52:50 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15911.17874.521794.845687@emerger.yogotech.com> Date: Thu, 16 Jan 2003 16:52:50 -0700 To: "."@babolo.ru Cc: Terry Lambert , Nate Williams , Josh Brooks , Sean Chittenden , freebsd-hackers@FreeBSD.ORG Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? In-Reply-To: <200301162351.h0GNpnPC002685@aaz.links.ru> References: <3E274081.F2D2F873@mindspring.com> <200301162351.h0GNpnPC002685@aaz.links.ru> X-Mailer: VM 7.07 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > In any case, he's got something else strange going on, because > > his load under attack, according to his numbers, never gets above > > the load you'd expect on 10Mbit old-style ethernet, so he's got > > something screwed up; probably, he has a loop in his rules, and > > a packet gets trapped and reprocessed over and over again (a > > friend of mine had this problem back in early December). > > If I remember correctly he has less then 10Mbit > uplink and a lot of count rules for client accounting. Ahh, I remember now. Good point. > It is reason I recommend him to use userland accounting. Or another (separate) box inline with the original firewall for accounting. > And as far as I understand a lot of count rules is > the reason for trouble. If this is the case, then I agree. A firewall that is under attack should only be used as a firewall, not an accounting tool. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message