From owner-freebsd-hackers Thu Jan 16 16:11:49 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4214C37B401 for ; Thu, 16 Jan 2003 16:11:48 -0800 (PST) Received: from mail.iskon.hr (inje.iskon.hr [213.191.128.16]) by mx1.FreeBSD.org (Postfix) with SMTP id 425EA43EB2 for ; Thu, 16 Jan 2003 16:11:46 -0800 (PST) (envelope-from zec@tel.fer.hr) Received: (qmail 20018 invoked from network); 17 Jan 2003 01:11:32 +0100 Received: from zg05-106.dialin.iskon.hr (HELO tel.fer.hr) (213.191.138.107) by mail.iskon.hr with SMTP; 17 Jan 2003 01:11:32 +0100 Message-ID: <3E274A39.C73EEF96@tel.fer.hr> Date: Fri, 17 Jan 2003 01:11:37 +0100 From: Marko Zec X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Josh Brooks Cc: Matthew Dillon , Nate Williams , freebsd-hackers@FreeBSD.ORG Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? References: <20030116143937.F38599-100000@mail.econolodgetulsa.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Josh Brooks wrote: > My freebsd machine does _nothing_ but filter packets and run ssh. > > > ONLY purpose is to deal with attacks. With an entire cpu dedicated > > to dealing with attacks you aren't likely to run out of CPU suds (at least > > not before your attackers fills your internet pipe). This allows you > > to use more reasonable rulesets on your other machines. > > You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with > 256 megs ram ... and normally `top` says it is at about 80% idle, and > everything is wonderful - but when someone shoves 12,000-15,000 packets > per second down its throat, it chokes _hard_. You think that optimizing > my ruleset will change that ? Or does 15K p/s choke any freebsd+ipfw > firewall with 1-200 rules running on it ? In my opinion, besides trying to optimize the filtering ruleset as suggested by other folks, you could do yourself a favor by purchasing a more decent CPU and faster DDRAM. It is obvious that at 20.000 pps or even more (with typical DoS small-sized packets) your machine won't hit the PCI bus limits, so you won't need any fancy and expensive PCI-X motherboards and/or NICs, just go for higher CPU clock, more cache, and more RAM bandwidth. Another thing to consider if your system is experiencing livelock under attacks would be using the polling mode instead of interrupts, see http://info.iet.unipi.it/~luigi/polling/ for details. Marko To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message