Date: Thu, 16 Jan 2003 13:09:24 -0800 From: Tim Kientzle <kientzle@acm.org> To: Josh Brooks <user@mail.econolodgetulsa.com> Cc: Sean Chittenden <sean@chittenden.org>, freebsd-hackers@FreeBSD.ORG, nate@yogotech.com Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? Message-ID: <3E271F84.2050809@acm.org> References: <20030116124254.J9642-100000@mail.econolodgetulsa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Josh Brooks wrote: > The problem is, I have a few hundred ipfw rules (there are over 200 > machines behind this firewall) and so when a DDoS attack comes, every > packet has to traverse those hundreds of rules - and so even though the > firewall is doing nothing other than filtering packets, the cpu gets all > used up. I wonder if it would help to run two separate FreeBSD appliance firewalls: a 'front' one that just screens obvious attacks using stateless packet filtering, and a 'rear' one that handles more CPU-consuming stateful filtering. If carefully done, that might help a lot to alleviate the CPU bottleneck. Just a thought, Tim Kientzle To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E271F84.2050809>