Date: Fri, 17 Jan 2003 02:57:55 +0300 (MSK) From: "."@babolo.ru To: Josh Brooks <user@mail.econolodgetulsa.com> Cc: Matthew Dillon <dillon@apollo.backplane.com>, Nate Williams <nate@yogotech.com>, freebsd-hackers@FreeBSD.ORG Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? Message-ID: <200301162357.h0GNvtKm002829@aaz.links.ru> In-Reply-To: <20030116143937.F38599-100000@mail.econolodgetulsa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > > If attacks are a predominant problem for you, I recommend sticking a > > machine in between your internet connection and everything else whos > > Actually this is what I already do - my ISP does all the routing, and it > feeds in one interface of my freebsd machine, and everything else is on > the other side of the freebsd machine. > > My freebsd machine does _nothing_ but filter packets and run ssh. > > > ONLY purpose is to deal with attacks. With an entire cpu dedicated > > to dealing with attacks you aren't likely to run out of CPU suds (at least > > not before your attackers fills your internet pipe). This allows you > > to use more reasonable rulesets on your other machines. > > You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with > 256 megs ram ... and normally `top` says it is at about 80% idle, and > everything is wonderful - but when someone shoves 12,000-15,000 packets > per second down its throat, it chokes _hard_. You think that optimizing > my ruleset will change that ? Or does 15K p/s choke any freebsd+ipfw > firewall with 1-200 rules running on it ? > > thanks. As for my experience it is OK for xl interfaces and 5 rules. And 200 rules ruleset is probably a lot for 15K p/s for 500Mhz Celeron But it is probably OK for 2000+ AMD -- @BABOLO http://links.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301162357.h0GNvtKm002829>