> In any case, he's got something else strange going on, because > his load under attack, according to his numbers, never gets above > the load you'd expect on 10Mbit old-style ethernet, so he's got > something screwed up; probably, he has a loop in his rules, and > a packet gets trapped and reprocessed over and over again (a > friend of mine had this problem back in early December).
You are correct that the network load is very low (less than 10 megabits/s when getting attacked) but if the packets/s is extremely high .. isn't it expected if some extremely large number of packets per second traverses 2-300 properly constructed rules that the CPU is going to choke ? When I say "properly constructed" I just mean there is nothing blatantly wrong, like a rule loop - obviously the _efficiency_ of the ruleset could always be improved. My main question is, given that I get attacked a lot in a lot of different ways, am I wasting my time trying to find that greater efficienct ? That is, will freebsd+ipfw always be worse in a ~10 meg/s throughput network that gets attacked all the time than a purpose-built appliance like a netscreen ? I would sure like to stick with a freebsd firewall...so much nicer to use, and with all the unix tools right there... To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
