Date: Thu, 26 Jan 2006 11:50:24 -0000 From: "Ian Kaney" <ikaney@crisiant.com> To: <freebsd-questions@freebsd.org> Subject: Bridging Firewall Machine Questions Message-ID: <20060126115051.8840D43D45@mx1.FreeBSD.org>
next in thread | raw e-mail | index | archive | help
Hi there. I wonder if somebody could help me with an issue I'm experiencing. I've put together a bridging firewall using FreeBSD 5.X. The traffic routes through fine and presently I'm using IPFW, default policy is set to deny, with certain rules/ports allowed to pass through. The three interfaces that are being bridged are all gigabit speed. The server is using Intel/Broadcom gigabit network cards. The machine that is performing the bridging is a Dual Opteron 246 with 2GB memory. The issue that I'm finding is that the CPU runs out of power when the links are being hit hard. The em0 (fibre) device in particular runs at about 6% consistently with normal traffic (~40Mbits/s) being pushed through the bridge. This means the machine would run out of CPU power when the link was being utilised at around ~650Mbits/s. Is this unavoidable or is this a symptom of more CPU power being required? I've also had problems with the bridge running out of dynamic rules. I've raised them to silly figures however I'm always wary that if a machine had a Trojan or some other form of malware that attempted a DoS attack, the bridge would probably fall over after exhausting its dynamic rule count and cause more issues. Could this be fixed perhaps by setting the default policy of IPFW to accept, or do the dynamic rules get created anyway when bridging? I've tried reading around the Internet and various manuals and what not but don't seem to be getting that far with things... I've also looked at perhaps upgrading to FreeBSD 6.X because that's got newer bridging code which might alleviate issues, or so I've heard? I hope somebody can help. Thanks in advance to anybody who can give me a few pointers. Cheers. -- Ian Kaney Mail: ikaney@crisiant.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060126115051.8840D43D45>