Crippled transparent firewall

dsa dsa cravietz at hotmail.com
Sun Sep 7 02:31:14 PDT 2003 

I have Freebsd 4.8 on P4 2.4, 1 gb DDR ram and two
Intel EtherPro100 (fxp0,fxp1). I have setup
transparent firewall/birdge on it. The purpose of
doing that is only to relieve cpu load of cisco router
(7200) which is getting hit pretty often by DDoS
attacks. Line carries 100 mbps. Basically it looks
like this:

Cisco>------------<BSD>--------100mbps-------<INTERNET

ok, now, let's put it this way..cisco is pushing about
50mbps during off-peak hours but when i put this
BSD-based transparent firewall in front of the cisco
router it goes down to 15 mbps while the 'top' output
shows 90% idle. No firewall rules have been set so
far.

Do you have any clue what may be wrong? below is my
config:

options         TCP_DROP_SYNFIN         #drop TCP
packets with SYN+FIN
options         ACCEPT_FILTER_DATA
options         ACCEPT_FILTER_HTTP
options         IPFIREWALL              #firewall
options         IPFIREWALL_VERBOSE      #print
information about
options         IPFIREWALL_FORWARD      #enable
transparent proxy support
options         IPFIREWALL_VERBOSE_LIMIT=100    #limit
verbosity
options         IPFIREWALL_DEFAULT_TO_ACCEPT    #allow
everything by default
options         IPFILTER                #ipfilter
support
options         IPFILTER_LOG            #ipfilter
logging
options         IPDIVERT                #divert
sockets
options         IPSTEALTH               #support for
stealth forwarding
options         BRIDGE
options         HZ=1000


net.inet.ip.fastforwarding=1
net.inet.ip.forwarding=1
net.inet.ip.fw.enable=1
net.inet.ip.fw.verbose=3
net.inet.ip.fw.one_pass=0
net.inet.ip.stealth=1
net.inet.tcp.blackhole=2
net.inet.tcp.keepidle=9000
net.inet.tcp.recvspace=65536
net.inet.tcp.sendspace=65536
net.inet.udp.blackhole=1
net.link.ether.bridge=1
net.link.ether.bridge_cfg=fxp0,fxp1
net.link.ether.bridge_ipfw=1
net.link.ether.inet.log_arp_wrong_iface=0
net.link.ether.ipfw=1


Also is there any nice freebsd tool to precisely count
how many packets is box handling per second.

Greatly appreciate any answer

Best regards

Marcin Krawiec

_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE* 
http://join.msn.com/?page=features/junkmail

More information about the freebsd-ipfw mailing list