Josh Brooks wrote:
There is sorting that you can do, like putting the highest-traffic rules near the top. ipfw terminates the search on the first matching rule except for count and skipto. Also, the fewer items that have to be checked the faster the rule is. Perhaps there is some aggregation that can be done with the rules themselves?Again, thank you very much for your advice and comments - they are very well taken.I will clarify and say that the fbsd system I am using / talking about is a _dedicated_ firewall. Only port 22 is open on it. The problem is, I have a few hundred ipfw rules (there are over 200 machines behind this firewall) and so when a DDoS attack comes, every packet has to traverse those hundreds of rules - and so even though the firewall is doing nothing other than filtering packets, the cpu gets all used up.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
