Sorry. I'm accustomed to a corporate environment where managers frowned on giving out
information.
We (Paul Henson and I) are attempting to install IPF on an OpenBSD 3.1 machine for Cal
Poly Pomona University in Southern California. We have a full, registered, class B
address and an OC-3 for our Internet connection. If by resources you are asking what
people do on the network, I think the answer is pretty much everything. With the
dorms connected to the campus network at Ethernet speeds, can you imagine what student
residents do?
We want to install the firewall with as little disruption as possible. The rule set
will start off blocking traffic that should never come in the network (ipopts, RFC
1918 addresses, etc.) and blocking traffic to some of our central servers. As we get
the green-light and feel comfortable, we'll start adding rules. The biggest concern
right now is breaking active FTP sessions. That would cause us a bunch of grief.
We have also talked about other applications that may possibly need features similar
to FTP in the way of return ports. We know they are out there, we just don't know
what they all are. :-)
I'm anticipating the need for new monitoring tools once when we go live. "ipfstat -t"
will be of limited use to us due to the load. I'm not that great of a programmer, but
I'll learn.
Our initial rule set is 224 lines long. I'm sure as we start adding to it, we'll have
well over 1,000 lines. I'm dreading keeping track of the filter logs since I'm sure
they'll be quite large.
Our firewall machine is fairly beefy. It's a 2.2 GHz Xeon with dual GigE cards, 2GB
RAM and a caching disk controller. Is it too much? We'd like it to be. What we
don't want is for it to be not enough. I think we have it configured to handle
500,000 state table entries (max). The OpenBSD folks aren't much help, either. Will
that be enough? We won't know until it goes live.
Did that answer your question?
Ken
>>> Steve Shorter <[EMAIL PROTECTED]> 06/11/02 06:05PM >>>
On Tue, Jun 11, 2002 at 10:45:01AM -0500, Ken Diliberto wrote:
> By loaded, how about passing a full Class B address over an OC-3 where the traffic
>over the link is fairly constant between 70-100MBps?
>
Fine. What resources are being used? There was a brief
thread a while ago in which someone was seeking this kind of info.
Or is this some kind of big secret. If you are using IPFilter to
do this work a lot of experience could be shared for the benefit
of the community of users. Vague references to "full class C over OC-3"
is pretty useless, unless you share configuration info.
Some people may want to use IPFilter for this type of work.
A single post to this list can save a lot of grief and time and
experimentation. After all, you got a nice firewall for free, please
give something back.
-steve
