Josh Brooks wrote:
The problem is, I have a few hundred ipfw rules (there are over 200 machines behind this firewall) and so when a DDoS attack comes, every packet has to traverse those hundreds of rules - and so even though the firewall is doing nothing other than filtering packets, the cpu gets all used up.
I wonder if it would help to run two separate FreeBSD appliance firewalls: a 'front' one that just screens obvious attacks using stateless packet filtering, and a 'rear' one that handles more CPU-consuming stateful filtering. If carefully done, that might help a lot to alleviate the CPU bottleneck. Just a thought, Tim Kientzle To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
