From owner-freebsd-questions@FreeBSD.ORG Thu Jan 26 11:50:52 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0ECD916A420 for ; Thu, 26 Jan 2006 11:50:52 +0000 (GMT) (envelope-from ikaney@crisiant.com) Received: from jemmy.itsevolution.net (342945.ds.nac.net [66.246.218.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8840D43D45 for ; Thu, 26 Jan 2006 11:50:51 +0000 (GMT) (envelope-from ikaney@crisiant.com) Received: from UnknownHost [195.8.175.130] by jemmy.itsevolution.net with SMTP; Thu, 26 Jan 2006 11:50:34 +0000 From: "Ian Kaney" To: Date: Thu, 26 Jan 2006 11:50:24 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: AcYibrFEZPlO5Pk6RDaBdLH7ORVAGg== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Message-Id: <20060126115051.8840D43D45@mx1.FreeBSD.org> Subject: Bridging Firewall Machine Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ikaney@crisiant.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2006 11:50:52 -0000 Hi there. I wonder if somebody could help me with an issue I'm experiencing. I've put together a bridging firewall using FreeBSD 5.X. The traffic routes through fine and presently I'm using IPFW, default policy is set to deny, with certain rules/ports allowed to pass through. The three interfaces that are being bridged are all gigabit speed. The server is using Intel/Broadcom gigabit network cards. The machine that is performing the bridging is a Dual Opteron 246 with 2GB memory. The issue that I'm finding is that the CPU runs out of power when the links are being hit hard. The em0 (fibre) device in particular runs at about 6% consistently with normal traffic (~40Mbits/s) being pushed through the bridge. This means the machine would run out of CPU power when the link was being utilised at around ~650Mbits/s. Is this unavoidable or is this a symptom of more CPU power being required? I've also had problems with the bridge running out of dynamic rules. I've raised them to silly figures however I'm always wary that if a machine had a Trojan or some other form of malware that attempted a DoS attack, the bridge would probably fall over after exhausting its dynamic rule count and cause more issues. Could this be fixed perhaps by setting the default policy of IPFW to accept, or do the dynamic rules get created anyway when bridging? I've tried reading around the Internet and various manuals and what not but don't seem to be getting that far with things... I've also looked at perhaps upgrading to FreeBSD 6.X because that's got newer bridging code which might alleviate issues, or so I've heard? I hope somebody can help. Thanks in advance to anybody who can give me a few pointers. Cheers. -- Ian Kaney Mail: ikaney@crisiant.com