From owner-freebsd-ipfw@FreeBSD.ORG Sun May 1 15:54:27 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFFE716A4CE for ; Sun, 1 May 2005 15:54:27 +0000 (GMT) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id E7C0843D31 for ; Sun, 1 May 2005 15:54:24 +0000 (GMT) (envelope-from h.blackman@chester.ac.uk) Received: from [192.168.1.4] (81-6-220-39.dyn.gotadsl.co.uk [81.6.220.39]) by smtp.nildram.co.uk (Postfix) with ESMTP id B467A273C69 for ; Sun, 1 May 2005 16:54:20 +0100 (BST) Mime-Version: 1.0 (Apple Message framework v728) In-Reply-To: <20050501093740.C38031@kira.epconline.net> References: <20050501093740.C38031@kira.epconline.net> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Henry Blackman Date: Sun, 1 May 2005 16:54:20 +0100 To: freebsd-ipfw@freebsd.org X-Mailer: Apple Mail (2.728) Subject: Re: Problem with high load on Xeon server... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 May 2005 15:54:28 -0000 There are better ways of achieving what you're trying to do. Using black lists (spamcop.net etc) is more efficient, but of course is resource intensive for busy servers - it is however dramatically better than doing what you're doing, which probably isn't sustainable in the longer term. I'd take a look at SpamAssassin, or you can simply use blacklists bl.spamcop.net and others, in sendmail. SpamAssassin can also do other things, than simply block IP addresses... Henry On 1 May 2005, at 15:47, Chuck Rock wrote: > I'm running FreeBSD release 5.2.1 > > I would like to add 61,000+ rules to ipfw. When I get to about 10,000 > rules, the box's load gets real high, and stays there until I > delete the > rules. > > Has anyone actually used the 60,000+ rule numbers available. I've > tried > this on two different servers with similar results. > > One server is Dual Xeon 2.8Gig. Average load is between 1 and 2 with 7 > rules in ipfw. Load goes between 17 and 28 with around 12,000 rules. > > The other server is dual P3-1Gig with avg. load of 1 with 7 rules. > With > about 9,000 rules, the load goes to 8. With 20,000 rules, the box > overloaded and locked up, no kernel panic, just no keyboard,mouse,ip > traffic, console screen froze, etc. > > Both boxes showed no excessive memory usage. > > Why 60,000 IP's you ask... These boxes ar ehigh traffic mail > servers, and > I've got an extensive sendmail access file. I wanted to keep the > servers > from handling so much spam by blocking the IP's of relays that > failed the > access list relay check. > > Over about one week, I have 60,000+ unique IP addresses from my logs. > > On one server when I was able to get about 21,000 rules in, the > rate of > spam dropped from 90% to about 50%, so I could really tell it was > working. > > I just need to figure out how to drop those packets. > > I was also thinking of building a bridge firewall so the server wasn't > doing anything but filtering packets, but after seeing that ipfw > couldn't > even handle half of the 65,000 rules available, I'm having second > thoughts. > > Anyone have any ideas? > > Thanks, > Chuck > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw- > unsubscribe@freebsd.org" >