Date: Sun, 1 May 2005 09:47:02 -0500 (CDT) From: Chuck Rock <carock@epconline.com> To: freebsd-ipfw@freebsd.org Subject: Problem with high load on Xeon server... Message-ID: <20050501093740.C38031@kira.epconline.net>
next in thread | raw e-mail | index | archive | help
I'm running FreeBSD release 5.2.1 I would like to add 61,000+ rules to ipfw. When I get to about 10,000 rules, the box's load gets real high, and stays there until I delete the rules. Has anyone actually used the 60,000+ rule numbers available. I've tried this on two different servers with similar results. One server is Dual Xeon 2.8Gig. Average load is between 1 and 2 with 7 rules in ipfw. Load goes between 17 and 28 with around 12,000 rules. The other server is dual P3-1Gig with avg. load of 1 with 7 rules. With about 9,000 rules, the load goes to 8. With 20,000 rules, the box overloaded and locked up, no kernel panic, just no keyboard,mouse,ip traffic, console screen froze, etc. Both boxes showed no excessive memory usage. Why 60,000 IP's you ask... These boxes ar ehigh traffic mail servers, and I've got an extensive sendmail access file. I wanted to keep the servers from handling so much spam by blocking the IP's of relays that failed the access list relay check. Over about one week, I have 60,000+ unique IP addresses from my logs. On one server when I was able to get about 21,000 rules in, the rate of spam dropped from 90% to about 50%, so I could really tell it was working. I just need to figure out how to drop those packets. I was also thinking of building a bridge firewall so the server wasn't doing anything but filtering packets, but after seeing that ipfw couldn't even handle half of the 65,000 rules available, I'm having second thoughts. Anyone have any ideas? Thanks, Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050501093740.C38031>