Date: Sun, 1 May 2005 16:54:20 +0100 From: Henry Blackman <h.blackman@chester.ac.uk> To: freebsd-ipfw@freebsd.org Subject: Re: Problem with high load on Xeon server... Message-ID: <BA9E5617-98D2-43E0-98ED-719C921E09E5@chester.ac.uk> In-Reply-To: <20050501093740.C38031@kira.epconline.net> References: <20050501093740.C38031@kira.epconline.net>
next in thread | previous in thread | raw e-mail | index | archive | help
There are better ways of achieving what you're trying to do. Using black lists (spamcop.net etc) is more efficient, but of course is resource intensive for busy servers - it is however dramatically better than doing what you're doing, which probably isn't sustainable in the longer term. I'd take a look at SpamAssassin, or you can simply use blacklists bl.spamcop.net and others, in sendmail. SpamAssassin can also do other things, than simply block IP addresses... Henry On 1 May 2005, at 15:47, Chuck Rock wrote: > I'm running FreeBSD release 5.2.1 > > I would like to add 61,000+ rules to ipfw. When I get to about 10,000 > rules, the box's load gets real high, and stays there until I > delete the > rules. > > Has anyone actually used the 60,000+ rule numbers available. I've > tried > this on two different servers with similar results. > > One server is Dual Xeon 2.8Gig. Average load is between 1 and 2 with 7 > rules in ipfw. Load goes between 17 and 28 with around 12,000 rules. > > The other server is dual P3-1Gig with avg. load of 1 with 7 rules. > With > about 9,000 rules, the load goes to 8. With 20,000 rules, the box > overloaded and locked up, no kernel panic, just no keyboard,mouse,ip > traffic, console screen froze, etc. > > Both boxes showed no excessive memory usage. > > Why 60,000 IP's you ask... These boxes ar ehigh traffic mail > servers, and > I've got an extensive sendmail access file. I wanted to keep the > servers > from handling so much spam by blocking the IP's of relays that > failed the > access list relay check. > > Over about one week, I have 60,000+ unique IP addresses from my logs. > > On one server when I was able to get about 21,000 rules in, the > rate of > spam dropped from 90% to about 50%, so I could really tell it was > working. > > I just need to figure out how to drop those packets. > > I was also thinking of building a bridge firewall so the server wasn't > doing anything but filtering packets, but after seeing that ipfw > couldn't > even handle half of the 65,000 rules available, I'm having second > thoughts. > > Anyone have any ideas? > > Thanks, > Chuck > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw- > unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BA9E5617-98D2-43E0-98ED-719C921E09E5>