> > > > If attacks are a predominant problem for you, I recommend sticking a > > machine in between your internet connection and everything else whos > > Actually this is what I already do - my ISP does all the routing, and it > feeds in one interface of my freebsd machine, and everything else is on > the other side of the freebsd machine. > > My freebsd machine does _nothing_ but filter packets and run ssh. > > > ONLY purpose is to deal with attacks. With an entire cpu dedicated > > to dealing with attacks you aren't likely to run out of CPU suds (at least > > not before your attackers fills your internet pipe). This allows you > > to use more reasonable rulesets on your other machines. > > You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with > 256 megs ram ... and normally `top` says it is at about 80% idle, and > everything is wonderful - but when someone shoves 12,000-15,000 packets > per second down its throat, it chokes _hard_. You think that optimizing > my ruleset will change that ? Or does 15K p/s choke any freebsd+ipfw > firewall with 1-200 rules running on it ? > > thanks. As for my experience it is OK for xl interfaces and 5 rules. And 200 rules ruleset is probably a lot for 15K p/s for 500Mhz Celeron
But it is probably OK for 2000+ AMD -- @BABOLO http://links.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
