From owner-freebsd-net Tue Sep 18 20:14:50 2001 Delivered-To: freebsd-net@freebsd.org Received: from mail1.hub.org (webmail.hub.org [216.126.85.1]) by hub.freebsd.org (Postfix) with ESMTP id 6116737B40E; Tue, 18 Sep 2001 20:14:45 -0700 (PDT) Received: from localhost (scrappy@localhost) by mail1.hub.org (8.11.3/8.11.4) with ESMTP id f8J3Eof95774; Tue, 18 Sep 2001 23:14:51 -0400 (EDT) (envelope-from scrappy@hub.org) Date: Tue, 18 Sep 2001 23:14:50 -0400 (EDT) From: "Marc G. Fournier" To: Cc: Subject: Re: ipfw problems ... In-Reply-To: <20010918134410.P87162-100000@atelier.acadiau.ca> Message-ID: <20010918230726.M30377-100000@mail1.hub.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I recently setup a box on our network, running FreeBSD 4.4-PRERELEASE, with ipfw and dummynet to do bandwidth shaping as well as firewalling ... The machine is a Dual PIII 733 w/1gig of RAM and 2xfxp0 devices ... I've got an /etc/fw.rules file that has ~1200 rules in it so far, and still have more that I want to put in, but today the machine locked up solid ... I ended up re-starting the machine with fw set to open, and loaded a few rules at a time ... got up to 747 rules before the machine pretty much ground to a halt, with the occasional keystroke going through ... ~900 or so of the rules are purely 'pass thru' rules ... we have two connections to the internet ... one that costs us nothing, and one that costs us quite dearly ... we want to allow all traffic that goes to sites on the 'costs us nothing' network to go through unimpeded, while that which goes through the 'costs us quite dearly' to be 'shaped' ... th ~900 rules are the ones that define those b-class networks that are on the 'costs us nothing' network ... I'm not seeing any errors on the console to indicate a problem, it just slowly grinds to a halt ... is there a setting in the kernel, or somewhere, that I should be setting to allow fur such a high number of rules, or is it just not possible to do more then a few hundred? :( Thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message