Date: Sun, 07 Sep 2003 09:31:13 +0000 From: "dsa dsa" <cravietz@hotmail.com> To: freebsd-ipfw@freebsd.org Subject: Crippled transparent firewall Message-ID: <BAY9-F11CJnEMzAUor000024c9e@hotmail.com>
next in thread | raw e-mail | index | archive | help
I have Freebsd 4.8 on P4 2.4, 1 gb DDR ram and two Intel EtherPro100 (fxp0,fxp1). I have setup transparent firewall/birdge on it. The purpose of doing that is only to relieve cpu load of cisco router (7200) which is getting hit pretty often by DDoS attacks. Line carries 100 mbps. Basically it looks like this: Cisco>------------<BSD>--------100mbps-------<INTERNET ok, now, let's put it this way..cisco is pushing about 50mbps during off-peak hours but when i put this BSD-based transparent firewall in front of the cisco router it goes down to 15 mbps while the 'top' output shows 90% idle. No firewall rules have been set so far. Do you have any clue what may be wrong? below is my config: options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options ACCEPT_FILTER_DATA options ACCEPT_FILTER_HTTP options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #print information about options IPFIREWALL_FORWARD #enable transparent proxy support options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging options IPDIVERT #divert sockets options IPSTEALTH #support for stealth forwarding options BRIDGE options HZ=1000 net.inet.ip.fastforwarding=1 net.inet.ip.forwarding=1 net.inet.ip.fw.enable=1 net.inet.ip.fw.verbose=3 net.inet.ip.fw.one_pass=0 net.inet.ip.stealth=1 net.inet.tcp.blackhole=2 net.inet.tcp.keepidle=9000 net.inet.tcp.recvspace=65536 net.inet.tcp.sendspace=65536 net.inet.udp.blackhole=1 net.link.ether.bridge=1 net.link.ether.bridge_cfg=fxp0,fxp1 net.link.ether.bridge_ipfw=1 net.link.ether.inet.log_arp_wrong_iface=0 net.link.ether.ipfw=1 Also is there any nice freebsd tool to precisely count how many packets is box handling per second. Greatly appreciate any answer Best regards Marcin Krawiec _________________________________________________________________ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BAY9-F11CJnEMzAUor000024c9e>