Date: Thu, 16 Jan 2003 14:56:58 -0800 From: Darren Pilgrim <dmp@pantherdragon.org> To: Josh Brooks <user@mail.econolodgetulsa.com> Cc: Sean Chittenden <sean@chittenden.org>, freebsd-hackers@freebsd.org, nate@yogotech.com Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? Message-ID: <3E2738BA.4090806@pantherdragon.org> References: <20030116124254.J9642-100000@mail.econolodgetulsa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Josh Brooks wrote: > Again, thank you very much for your advice and comments - they are very > well taken. > > I will clarify and say that the fbsd system I am using / talking about is > a _dedicated_ firewall. Only port 22 is open on it. > > The problem is, I have a few hundred ipfw rules (there are over 200 > machines behind this firewall) and so when a DDoS attack comes, every > packet has to traverse those hundreds of rules - and so even though the > firewall is doing nothing other than filtering packets, the cpu gets all > used up. There is sorting that you can do, like putting the highest-traffic rules near the top. ipfw terminates the search on the first matching rule except for count and skipto. Also, the fewer items that have to be checked the faster the rule is. Perhaps there is some aggregation that can be done with the rules themselves? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E2738BA.4090806>