ip_input - chksum - why is it done so early in ip_input?
Apologies for the cross-post, i wasnt sure if this was hackers or net material. I've often wondered why ip checksumming is done on every incoming packet and not only on the packets that need to be delivered locally. It looks like a very expensive way of doing it, especially on high PPS. Basically all hosts do checksumming so why not just pass the bad packet on, making the forward process alot cheaper (cpu wise)? I ran some tests (unable to disclose results) by removing it completely and it seems to make a noticable impact on the performance. Especially on for example gaming services where there is a high PPS versus actual data. Besides that i'd like to add that FreeBSD has the fastest forwarding engine i've seen on any free OS. It's in my opinion a very suitable OS for routing/forwarding. _// Sten ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Ugly Huge BSD Monster
> > On Mon, Sep 01, 2003 at 12:38:34PM -0700, Greg Shenaut wrote: > >Has it ever been suggested to create one or more "dependencies" > >ports (or more to the point, packages)? I think it might be pretty > >useful to have something like that so that all of the "prerequisites" > >can be installed at once. > > Maybe I'm missing something but how would that be an improvement on > what FreeBSD does now? If I try to install package X, it will > automatically install dependencies A, B and C, as well as their > dependencies. > That would ease the installation of port X on Y number of machines. Same libraries, same everything, precompiled. Otherwise one needs to manually track dependencies (not a terribly difficult job) and make those as packages, and keep doing this until all dependencies are as packages (in my case, i have several light-weight servers/routers that have no gcc/make capabilities). If anyone knows of a program/script that will do this for me, please speak up! - Sten ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: FreeBSD firewall for high profile hosts - waste of time ?
What is the size of your pipe? If the pipe is big, then so should your BSD box be. The only time i've used something as small as 500ghz Celery it was for a puny 10mbit. What kind of network adapters are you using? I cant recommend using anything other than Intel. The drivers suck for the other cards. Have you applied POLLING (man polling)? If the computer in itself chokes, this will in almost every case prevent that. ( Requires cards such as Intel ) Do you filter outgoing packets so that your pipe wont be filled with ICMP's or RST's on exit? Dummynet is good for that. If the incoming attack isnt large enough to completely block your pipe one way, it often blocks on exit as the responses go back. Do you limit the amount of ICMP responses on each of the servers? May i suggest using creative routing for packets on exit going to unassigned or unroutable nets? How about getting a (perhaps smaller/cheaper) secondary pipe that also announce your network often the attacks go in on one pipe but let the other pipe go free. - This applies mainly when you are the one announcing the networks through BGP or in same provider cases - OSPF. But yes, in my opinion, a FreeBSD firewall is worth using your time with. --- Med vennlig hilsen / Best regards Sten Daniel Sørsdal --- -Original Message- From: Josh Brooks [mailto:[EMAIL PROTECTED]] Sent: 16. januar 2003 23:42 To: Matthew Dillon Cc: Nate Williams; [EMAIL PROTECTED] Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? > > If attacks are a predominant problem for you, I recommend sticking a > machine in between your internet connection and everything else > whos Actually this is what I already do - my ISP does all the routing, and it feeds in one interface of my freebsd machine, and everything else is on the other side of the freebsd machine. My freebsd machine does _nothing_ but filter packets and run ssh. > ONLY purpose is to deal with attacks. With an entire cpu dedicated > to dealing with attacks you aren't likely to run out of CPU suds (at least > not before your attackers fills your internet pipe). This allows you > to use more reasonable rulesets on your other machines. You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with 256 megs ram ... and normally `top` says it is at about 80% idle, and everything is wonderful - but when someone shoves 12,000-15,000 packets per second down its throat, it chokes _hard_. You think that optimizing my ruleset will change that ? Or does 15K p/s choke any freebsd+ipfw firewall with 1-200 rules running on it ? thanks. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message