From owner-freebsd-hackers Thu Jan 16 16: 9:53 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 60B8337B401 for ; Thu, 16 Jan 2003 16:09:52 -0800 (PST) Received: from aaz.links.ru (aaz.links.ru [193.125.152.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6258943ED8 for ; Thu, 16 Jan 2003 16:09:51 -0800 (PST) (envelope-from babolo@aaz.links.ru) Received: from aaz.links.ru (aaz.links.ru [193.125.152.37]) by aaz.links.ru (8.12.6/8.12.6) with ESMTP id h0H0BYiI003699; Fri, 17 Jan 2003 03:11:34 +0300 (MSK) (envelope-from babolo@aaz.links.ru) Received: (from babolo@localhost) by aaz.links.ru (8.12.6/8.12.6/Submit) id h0H0BYPn003698; Fri, 17 Jan 2003 03:11:34 +0300 (MSK) Message-Id: <200301170011.h0H0BYPn003698@aaz.links.ru> Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <20030116161104.T41959-100000@vespa.dmz.orem.verio.net> To: Fred Clift Date: Fri, 17 Jan 2003 03:11:34 +0300 (MSK) From: "."@babolo.ru Cc: Josh Brooks , freebsd-hackers@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > On Thu, 16 Jan 2003, Josh Brooks wrote: > > > > > > You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with > > 256 megs ram ... and normally `top` says it is at about 80% idle, and > > everything is wonderful - but when someone shoves 12,000-15,000 packets > > per second down its throat, it chokes _hard_. You think that optimizing > > my ruleset will change that ? Or does 15K p/s choke any freebsd+ipfw > > firewall with 1-200 rules running on it ? > > > You and I read the snipped statement differently -- I _thought_ he was > saying that you should have two chained firewalls > > isp-fw1-fw2- The load in case is really low, so one box with more powerful CPU is better then two boxes with anaemic CPUs. > Have fw1 only do 'deny' things on attacks (with a default allow) and have > fw2 do only 'allow' for valid traffic with a 'default deny' for everything > else. The class of machine you are talking about can be purchased used > for under $100 right now so it wouldn't be that much of an investment > money-wise... In fact, fw1 could be a transparent bridge that just > dropped dos stuff... > > Perhaps I'm wrong in my reading, but this might work anyway... Also note > that much beefier iron can be purchased for under $500 if you are willing > to do a bit of digging and assembly. You might also look at the network > cards you have and replace them with different ones. Some driver/card > combos are much more efficient than others. I dont know what you have, > and I dont know which ones you should consider getting. I use intel (fxp) > cards a lot and like them. -- @BABOLO http://links.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message