From owner-freebsd-performance@FreeBSD.ORG Wed May 28 12:36:18 2003 Return-Path: Delivered-To: freebsd-performance@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D02B437B401 for ; Wed, 28 May 2003 12:36:18 -0700 (PDT) Received: from dmz2.unixjunkie.com (adsl-65-70-175-250.dsl.rcsntx.swbell.net [65.70.175.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id C2BAA43F3F for ; Wed, 28 May 2003 12:36:15 -0700 (PDT) (envelope-from strgout@unixjunkie.com) Received: from mail.unixjunkie.com (mail [10.253.254.36]) by dmz2.unixjunkie.com (8.12.6p2/8.12.6) with ESMTP id h4SJsB6i039422 for ; Wed, 28 May 2003 14:54:11 -0500 (CDT) (envelope-from strgout@mail.unixjunkie.com) Received: from mail.unixjunkie.com (mail [10.253.254.36]) by mail.unixjunkie.com (8.12.6p2/8.12.6) with ESMTP id h4SJsAns039419 for ; Wed, 28 May 2003 14:54:10 -0500 (CDT) (envelope-from strgout@mail.unixjunkie.com) Received: (from strgout@localhost) by mail.unixjunkie.com (8.12.6p2/8.12.6/Submit) id h4SJsArf039418 for freebsd-performance@freebsd.org; Wed, 28 May 2003 14:54:10 -0500 (CDT) (envelope-from strgout) Date: Wed, 28 May 2003 14:54:10 -0500 From: John To: freebsd-performance@freebsd.org Message-ID: <20030528195410.GA39339@mail.unixjunkie.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i X-Mailman-Approved-At: Wed, 28 May 2003 12:38:55 -0700 Subject: Packet sniffer tweaks. X-BeenThere: freebsd-performance@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Performance/tuning List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 19:36:19 -0000 So does anyone have any tips for creating a good packet sniffer system for something like snort or maybe ntop? I know irq usage is going to be high (like around 2-4k/s) per interface, so would that lead me to using polling? I'm also using fxp cards and found the link0 should help reduce the interrupt load on the cpu. So should this be used (with|instead of) polling etc etc. btw i also found these sysctl vals. debug.bpf_bufsize debug.bpf_maxbufsize Any input would be great, thanks! From owner-freebsd-performance@FreeBSD.ORG Wed May 28 14:54:16 2003 Return-Path: Delivered-To: freebsd-performance@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 076C837B401 for ; Wed, 28 May 2003 14:54:14 -0700 (PDT) Received: from svaha.com (svaha.com [64.46.156.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id AAB1343F3F for ; Wed, 28 May 2003 14:54:13 -0700 (PDT) (envelope-from meconlen@obfuscated.net) Received: from obfuscated.net ([64.156.25.5]) (AUTH: LOGIN meconlen, TLS: TLSv1/SSLv3,128bits,RC4-MD5) by svaha.com with esmtp; Wed, 28 May 2003 17:54:12 -0400 Message-ID: <3ED52FFF.3060903@obfuscated.net> Date: Wed, 28 May 2003 17:54:07 -0400 From: Michael Conlen User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-performance@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: High performance IDS/Firewall X-BeenThere: freebsd-performance@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Performance/tuning List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 21:54:16 -0000 I'm considering setting up a FreeBSD firewall/IDS system to handle 60-80Mbit/sec of traffic. The box would have three adapters, two of them bridging and one for access. I will place the IDS on the outside bridge interface and apply IPFW rules on the system as needed. My concern is what the failure order is if the system is under heavy load. My perfered order would be snort (libpcap) drops packets and snort fails to detect firewall fails to block system drops packets as it's more important for the system to be running than to identify or block the things we are trying to identify and block. Is this the order things would fall over, or am I likely to cause the system to drop packets as soon as things get ugly. PS: I'm considering a dual p4 2Gz 4GB of memory system, and SCSI-3 disk subsystem. and there's only one server on the "inside" of this network, so I don't think I'll have a major failure situation, unless someone suddenly generates over 20Mbit of DOS traffic, and those people usually go after the router... -- Michael Conlen From owner-freebsd-performance@FreeBSD.ORG Wed May 28 16:41:07 2003 Return-Path: Delivered-To: freebsd-performance@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2143D37B401 for ; Wed, 28 May 2003 16:41:07 -0700 (PDT) Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A53E43F3F for ; Wed, 28 May 2003 16:41:05 -0700 (PDT) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5]) by mail.cs.ait.ac.th (8.12.3/8.9.3) with ESMTP id h4SNf1H5068194; Thu, 29 May 2003 06:41:02 +0700 (ICT) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.8.5/8.8.5) id GAA07972; Thu, 29 May 2003 06:42:39 +0700 (ICT) Date: Thu, 29 May 2003 06:42:39 +0700 (ICT) Message-Id: <200305282342.GAA07972@banyan.cs.ait.ac.th> X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to on@banyan.cs.ait.ac.th using -f From: Olivier Nicole To: meconlen@obfuscated.net In-reply-to: <3ED52FFF.3060903@obfuscated.net> (message from Michael Conlen on Wed, 28 May 2003 17:54:07 -0400) References: <3ED52FFF.3060903@obfuscated.net> X-Virus-Scanned: by amavisd-milter (http://amavis.org/) cc: freebsd-performance@freebsd.org Subject: Re: High performance IDS/Firewall X-BeenThere: freebsd-performance@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Performance/tuning List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 23:41:07 -0000 Hi Michael, > I'm considering setting up a FreeBSD firewall/IDS system to handle > 60-80Mbit/sec of traffic. The box would have three adapters, two of them > bridging and one for access. I will place the IDS on the outside bridge > interface and apply IPFW rules on the system as needed. My concern is > what the failure order is if the system is under heavy load. I am working on the same sort of problem. I had that box, with 3 ethernet adapters that I used as a router for ages. Now that I have a real router, I thought I could use it as a firewall. I am not at the snort stage yet. Bridging works fine, but it seems that statefull rules needs a high end machine, even with a low traffic (I beleive I don't go beyond 5Mbps brusts). A couple of tricks when configuring your firewall: - incoming filter rules must be attached to the outside interface, while outgoing rules are attached to the inside interface (despite they are bridged, rules on the outside inteface would not catch outgoing packets, or rather, rules on the inside interface would catch them first, so if the inside interface has a deny all...) - while bridge(4) says that non IP packets are transmitted without filtering, it seems that ARP packets are passed through the firewall. I have no answer about the default fail safe, but I will certainly install a cron script that will reset the machine whenever it find it cannot communicate anymore. Bests Olivier From owner-freebsd-performance@FreeBSD.ORG Wed May 28 21:49:12 2003 Return-Path: Delivered-To: freebsd-performance@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 255FF37B401 for ; Wed, 28 May 2003 21:49:11 -0700 (PDT) Received: from linopryne.com (adslh185.cofs.net [207.87.240.185]) by mx1.FreeBSD.org (Postfix) with SMTP id 809E043F3F for ; Wed, 28 May 2003 21:49:10 -0700 (PDT) (envelope-from jorge@linopryne.com) Received: (qmail 56596 invoked from network); 29 May 2003 04:50:38 -0000 Received: from localhost (HELO linopryne.com) (127.0.0.1) by 0 with SMTP; 29 May 2003 04:50:38 -0000 Received: from 137.52.44.71 (SquirrelMail authenticated user jorge@linopryne.com) by mail.linopryne.com with HTTP; Thu, 29 May 2003 00:50:38 -0400 (EDT) Message-ID: <4852.137.52.44.71.1054183838.squirrel@mail.linopryne.com> Date: Thu, 29 May 2003 00:50:38 -0400 (EDT) From: "Jorge Mario G." To: In-Reply-To: <3ED52FFF.3060903@obfuscated.net> References: <3ED52FFF.3060903@obfuscated.net> X-Priority: 3 Importance: Normal X-Mailer: SquirrelMail (version 1.2.10) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit cc: freebsd-performance@freebsd.org Subject: Re: High performance IDS/Firewall X-BeenThere: freebsd-performance@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Performance/tuning List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 May 2003 04:49:12 -0000 Hi from my personal point of view IPF performs much better than IPFW (I dont know about IPFW2) in stressed situations like the one you are pesenting Jorge