> > If I remember correctly he has less then 10Mbit > > uplink and a lot of count rules for client accounting. > > It is reason I recommend him to use userland accounting. > > And as far as I understand a lot of count rules is > > the reason for trouble. > > I removed all the count rules a week or so ago. Now I just have 2-300 > rules in the form: >
[ Snip ] Seriously, if you want more help, you're going to have to give more details than 'of the form'. Send a couple of us (not the entire list) your rules to look at, and maybe something will jump out. At this point, we can only guess, and spin our wheels trying to help you out. > allow tcp from $IP to any established > allow tcp from any to $IP established > allow tcp from any to $IP 22,25,80,443 setup > deny ip from any to $IP Seems like overkill to me, when you can do something simpler with a single rule, although depending on that rule is risky with ipfw, since it *can* be spoofed (as you are well aware). ;( > and I have that same set in there about 50-70 times - one for each > customer IP address hat has requested it. That's it :) Yikes. Can't you simply allow in *all* the packets for an entire netblock, and let them bounce around in the network for any 'non-listening' host? > So each packet I get goes through about 5 rules at the front to check for > bogus packets, then about 70 sets of the above until it either matches one > of those, or goes out the end with the default allow rule. If you've got a default allow rule, what's the point of the above rules? Again, specific details (ie; your rules list) would certainly go a long way. Nate To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
