Josh Brooks wrote: > My freebsd machine does _nothing_ but filter packets and run ssh. > > > ONLY purpose is to deal with attacks. With an entire cpu dedicated > > to dealing with attacks you aren't likely to run out of CPU suds (at least > > not before your attackers fills your internet pipe). This allows you > > to use more reasonable rulesets on your other machines. > > You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with > 256 megs ram ... and normally `top` says it is at about 80% idle, and > everything is wonderful - but when someone shoves 12,000-15,000 packets > per second down its throat, it chokes _hard_. You think that optimizing > my ruleset will change that ? Or does 15K p/s choke any freebsd+ipfw > firewall with 1-200 rules running on it ?
In my opinion, besides trying to optimize the filtering ruleset as suggested by other folks, you could do yourself a favor by purchasing a more decent CPU and faster DDRAM. It is obvious that at 20.000 pps or even more (with typical DoS small-sized packets) your machine won't hit the PCI bus limits, so you won't need any fancy and expensive PCI-X motherboards and/or NICs, just go for higher CPU clock, more cache, and more RAM bandwidth. Another thing to consider if your system is experiencing livelock under attacks would be using the polling mode instead of interrupts, see http://info.iet.unipi.it/~luigi/polling/ for details. Marko To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
