Crippled transparent firewall
Don Bowman
don at sandvine.com
Sun Sep 7 08:27:22 PDT 2003
> From: dsa dsa [mailto:cravietz at hotmail.com]
>
> I have Freebsd 4.8 on P4 2.4, 1 gb DDR ram and two
> Intel EtherPro100 (fxp0,fxp1). I have setup
> transparent firewall/birdge on it. The purpose of
> doing that is only to relieve cpu load of cisco router
> (7200) which is getting hit pretty often by DDoS
> attacks. Line carries 100 mbps. Basically it looks
> like this:
>
> Cisco>------------<BSD>--------100mbps-------<INTERNET
>
> ok, now, let's put it this way..cisco is pushing about
> 50mbps during off-peak hours but when i put this
> BSD-based transparent firewall in front of the cisco
> router it goes down to 15 mbps while the 'top' output
> shows 90% idle. No firewall rules have been set so
> far.
>
I would check netstat -m. If you are seeing denied
mbufs, then i would increase NMBCLUSTERS/NMBUFS.
I would check that your cisco and bsd & internet
connection agree on duplex. e.g. if 1 is auto and
the other is forced 100 full, the auto one will
go to 100 half, which is useless :).
Check for excessive collisions to see this.
More information about the freebsd-ipfw
mailing list