Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 1 May 2005 11:10:33 -0500 (CDT)
From:      Chuck Rock <carock@epconline.com>
To:        Richard Tector <richardtector@thekeelecentre.com>
Cc:        freebsd-ipfw@freebsd.org
Subject:   RE: Problem with high load on Xeon server...
Message-ID:  <20050501110937.A18734@kira.epconline.net>
In-Reply-To: <000001c54e62$5ab80ca0$0c01000a@RLaptop>
References:  <000001c54e62$5ab80ca0$0c01000a@RLaptop>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
I'm still thinking the bridge firewall is the best route since I can
effect all of my inbound servers at one point instead of loading up the
rules on each individual server.

I will look into the pf solution.

Thanks,
Chuck

On Sun, 1 May 2005, Richard Tector wrote:

> >Why 60,000 IP's you ask... These boxes ar ehigh traffic mail servers, and
> >I've got an extensive sendmail access file. I wanted to keep the servers
> >from handling so much spam by blocking the IP's of relays that failed the
> >access list relay check.
>
> >Over about one week, I have 60,000+ unique IP addresses from my logs.
>
>
> You might want to consider using pf which has extensive table support. I'm
> not sure what the limits are on the table size, but you simply add another.
> This means a minimal ruleset and table lookups are orders of magnitude
> faster than rule processing.
>
> Ipfw now has table support. In 5.3+ at least. I don't know how quick these
> are in comparison to pf however.
>
> The only problem with using pf is you'd ideally need to upgrade to 5.3 or
> above. Perhaps rig up another box to try it on?
>
> Regards,
>
> Richard Tector
>
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20050501110937.A18734>