Problem with high load on Xeon server...

Henry Blackman h.blackman at chester.ac.uk
Sun May 1 08:54:28 PDT 2005 

There are better ways of achieving what you're trying to do.  Using  
black lists (spamcop.net etc) is more efficient, but of course is  
resource intensive for busy servers - it is however dramatically  
better than doing what you're doing, which probably isn't sustainable  
in the longer term.

I'd take a look at SpamAssassin, or you can simply use blacklists  
bl.spamcop.net and others, in sendmail.  SpamAssassin can also do  
other things, than simply block IP addresses...

Henry

On 1 May 2005, at 15:47, Chuck Rock wrote:

> I'm running FreeBSD release 5.2.1
>
> I would like to add 61,000+ rules to ipfw. When I get to about 10,000
> rules, the box's load gets real high, and stays there until I  
> delete the
> rules.
>
> Has anyone actually used the 60,000+ rule numbers available. I've  
> tried
> this on two different servers with similar results.
>
> One server is Dual Xeon 2.8Gig. Average load is between 1 and 2 with 7
> rules in ipfw. Load goes between 17 and 28 with around 12,000 rules.
>
> The other server is dual P3-1Gig with avg. load of 1 with 7 rules.  
> With
> about 9,000 rules, the load goes to 8. With 20,000 rules, the box
> overloaded and locked up, no kernel panic, just no keyboard,mouse,ip
> traffic, console screen froze, etc.
>
> Both boxes showed no excessive memory usage.
>
> Why 60,000 IP's you ask... These boxes ar ehigh traffic mail  
> servers, and
> I've got an extensive sendmail access file. I wanted to keep the  
> servers
> from handling so much spam by blocking the IP's of relays that  
> failed the
> access list relay check.
>
> Over about one week, I have 60,000+ unique IP addresses from my logs.
>
> On one server when I was able to get about 21,000 rules in, the  
> rate of
> spam dropped from 90% to about 50%, so I could really tell it was  
> working.
>
> I just need to figure out how to drop those packets.
>
> I was also thinking of building a bridge firewall so the server wasn't
> doing anything but filtering packets, but after seeing that ipfw  
> couldn't
> even handle half of the 65,000 rules available, I'm having second
> thoughts.
>
> Anyone have any ideas?
>
> Thanks,
> Chuck
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw- 
> unsubscribe at freebsd.org"
>

More information about the freebsd-ipfw mailing list