Problem with high load on Xeon server...
Henry Blackman
h.blackman at chester.ac.uk
Sun May 1 08:54:28 PDT 2005
There are better ways of achieving what you're trying to do. Using
black lists (spamcop.net etc) is more efficient, but of course is
resource intensive for busy servers - it is however dramatically
better than doing what you're doing, which probably isn't sustainable
in the longer term.
I'd take a look at SpamAssassin, or you can simply use blacklists
bl.spamcop.net and others, in sendmail. SpamAssassin can also do
other things, than simply block IP addresses...
Henry
On 1 May 2005, at 15:47, Chuck Rock wrote:
> I'm running FreeBSD release 5.2.1
>
> I would like to add 61,000+ rules to ipfw. When I get to about 10,000
> rules, the box's load gets real high, and stays there until I
> delete the
> rules.
>
> Has anyone actually used the 60,000+ rule numbers available. I've
> tried
> this on two different servers with similar results.
>
> One server is Dual Xeon 2.8Gig. Average load is between 1 and 2 with 7
> rules in ipfw. Load goes between 17 and 28 with around 12,000 rules.
>
> The other server is dual P3-1Gig with avg. load of 1 with 7 rules.
> With
> about 9,000 rules, the load goes to 8. With 20,000 rules, the box
> overloaded and locked up, no kernel panic, just no keyboard,mouse,ip
> traffic, console screen froze, etc.
>
> Both boxes showed no excessive memory usage.
>
> Why 60,000 IP's you ask... These boxes ar ehigh traffic mail
> servers, and
> I've got an extensive sendmail access file. I wanted to keep the
> servers
> from handling so much spam by blocking the IP's of relays that
> failed the
> access list relay check.
>
> Over about one week, I have 60,000+ unique IP addresses from my logs.
>
> On one server when I was able to get about 21,000 rules in, the
> rate of
> spam dropped from 90% to about 50%, so I could really tell it was
> working.
>
> I just need to figure out how to drop those packets.
>
> I was also thinking of building a bridge firewall so the server wasn't
> doing anything but filtering packets, but after seeing that ipfw
> couldn't
> even handle half of the 65,000 rules available, I'm having second
> thoughts.
>
> Anyone have any ideas?
>
> Thanks,
> Chuck
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-
> unsubscribe at freebsd.org"
>
More information about the freebsd-ipfw
mailing list