From owner-freebsd-hackers Thu Jan 16 15:56:18 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A21137B401 for ; Thu, 16 Jan 2003 15:56:17 -0800 (PST) Received: from aaz.links.ru (aaz.links.ru [193.125.152.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 158D243ED8 for ; Thu, 16 Jan 2003 15:56:16 -0800 (PST) (envelope-from babolo@aaz.links.ru) Received: from aaz.links.ru (aaz.links.ru [193.125.152.37]) by aaz.links.ru (8.12.6/8.12.6) with ESMTP id h0GNvtiI002830; Fri, 17 Jan 2003 02:57:55 +0300 (MSK) (envelope-from babolo@aaz.links.ru) Received: (from babolo@localhost) by aaz.links.ru (8.12.6/8.12.6/Submit) id h0GNvtKm002829; Fri, 17 Jan 2003 02:57:55 +0300 (MSK) Message-Id: <200301162357.h0GNvtKm002829@aaz.links.ru> Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <20030116143937.F38599-100000@mail.econolodgetulsa.com> To: Josh Brooks Date: Fri, 17 Jan 2003 02:57:55 +0300 (MSK) From: "."@babolo.ru Cc: Matthew Dillon , Nate Williams , freebsd-hackers@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > > > If attacks are a predominant problem for you, I recommend sticking a > > machine in between your internet connection and everything else whos > > Actually this is what I already do - my ISP does all the routing, and it > feeds in one interface of my freebsd machine, and everything else is on > the other side of the freebsd machine. > > My freebsd machine does _nothing_ but filter packets and run ssh. > > > ONLY purpose is to deal with attacks. With an entire cpu dedicated > > to dealing with attacks you aren't likely to run out of CPU suds (at least > > not before your attackers fills your internet pipe). This allows you > > to use more reasonable rulesets on your other machines. > > You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with > 256 megs ram ... and normally `top` says it is at about 80% idle, and > everything is wonderful - but when someone shoves 12,000-15,000 packets > per second down its throat, it chokes _hard_. You think that optimizing > my ruleset will change that ? Or does 15K p/s choke any freebsd+ipfw > firewall with 1-200 rules running on it ? > > thanks. As for my experience it is OK for xl interfaces and 5 rules. And 200 rules ruleset is probably a lot for 15K p/s for 500Mhz Celeron But it is probably OK for 2000+ AMD -- @BABOLO http://links.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message