Date: Thu, 16 Jan 2003 16:00:59 -0800 From: Terry Lambert <tlambert2@mindspring.com> To: Josh Brooks <user@mail.econolodgetulsa.com> Cc: "."@babolo.ru, Nate Williams <nate@yogotech.com>, Sean Chittenden <sean@chittenden.org>, freebsd-hackers@FreeBSD.ORG Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? Message-ID: <3E2747BB.E2E34AC1@mindspring.com> References: <20030116155122.X38599-100000@mail.econolodgetulsa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Josh Brooks wrote: > I removed all the count rules a week or so ago. Now I just have 2-300 > rules in the form: > > allow tcp from $IP to any established > allow tcp from any to $IP established > allow tcp from any to $IP 22,25,80,443 setup > deny ip from any to $IP > > and I have that same set in there about 50-70 times - one for each > customer IP address hat has requested it. That's it :) You have got to be frigging kidding... Q1) Are all customers "who have requested it" running the same rule set? Q2) Have you ever head of "skipto"? > So each packet I get goes through about 5 rules at the front to check for > bogus packets, then about 70 sets of the above until it either matches one > of those, or goes out the end with the default allow rule. No, each packet goes through 2-300 rules at the front, in which the IP address does not match and the rule does not take effect. Ugh. 1) Seperate inbound and outbound, per what Nate told you. 2) Have a rule for the IP... preferrable for a block of them, instead of one per IP 3) Skip to a common rule set 4) Be happy PS: I still think that if your CPU pegs, you've got a loop in there somewhere. Most common case is a "reject" or "deny". Try changing all of them to "drop", instead, and see if that "fixes" it. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E2747BB.E2E34AC1>