Comments inline... Corey M. Snow- [EMAIL PROTECTED] I don't speak for my employer.
> -----Original Message----- > From: Burton M. Strauss III [mailto:[EMAIL PROTECTED]] > Sent: Thursday, July 18, 2002 6:06 AM > To: [EMAIL PROTECTED] > Cc: Snow, Corey; [EMAIL PROTECTED]; Jeff Aufderheide > Subject: RE: Cracking a server without services (filtering bridges) > > > The only problem w/ supporting a T1 on that hardware would be > the memory > bandwidth. ISA NICs don't implement the kind of buffering a > PCI NIC does, > so you might run into problems (remember, a 486/66 runs it's > memory bus at > 33mhz). In a prior life, I did the experiments w/ ISA NICs > and was never > really able to drive them more than about 17% of the 10BaseT > speed. Note > that some of the fancy stuff (processor off-load, parallel > tasking, etc.) > that they used to charge an arm and leg for really does work! > I imagine that this is correct. I hadn't actually seriously considered trying to filter a saturated T1 with such a setup, but it is in theory possible to do, and would probably work for the load that most T1s have- I mean, if your T1 is always running at saturation, you're probably needing an upgrade anyway. ;-) Besides, although I used ultra-cheap old hardware, the next step up (A Pentium class box with a PCI bus) isn't that much more expensive if you want to get one used. My other firewall, which does NAT, is a PII-400. I generally use that one to build my kernels. The downside to a 486-class box is that building anything takes forever. :) > Finally, filtering bridges can be used for other things! (I > know you can do > this with Linux, I'm assuming FreeBSD has similar > capabilities) You can use > the queuing disciplines to limit bandwidth and set priorities > for specific > services. I did this with Linux, to simulate slower speed > lines for some > VoIP tests. What's really cool is that I was able to > rate-limit the VoIP > stuff, but still allow all the other traffic in and out of my > machine at > full speed, yet give the VoIP priority, so that it was an > honest test of > slower lines. The one thing to remember is that you have to > do it twice, as > cbq et al only affect traffic leaving an interface. > Yes, FreeBSD does implement such functionality through ipfw(4) and the dummynet(4) traffic shaper. Essentially, you define dummynet "pipes", which can be configured to limit bandwidth, simulate a delay, drop packets randomly, etc. I've never needed it myself, but it does work pretty well from what I've heard. ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. #########################################################
