High performance IDS/Firewall

Michael Conlen meconlen at obfuscated.net
Wed May 28 14:54:16 PDT 2003

I'm considering setting up a FreeBSD firewall/IDS system to handle 
60-80Mbit/sec of traffic. The box would have three adapters, two of them 
bridging and one for access. I will place the IDS on the outside bridge 
interface and apply IPFW rules on the system as needed. My concern is 
what the failure order is if the system is under heavy load. My perfered 
order would be

snort (libpcap) drops packets and snort fails to detect
firewall fails to block
system drops packets

as it's more important for the system to be running than to identify or 
block the things we are trying to identify and block.

Is this the order things would fall over, or am I likely to cause the 
system to drop packets as soon as things get ugly.

PS: I'm considering a dual p4 2Gz 4GB of memory system, and SCSI-3 disk 
subsystem. and there's only one server on the "inside" of this network, 
so I don't think I'll have a major failure situation, unless someone 
suddenly generates over 20Mbit of DOS traffic, and those people usually 
go after the router...

Michael Conlen

More information about the freebsd-performance mailing list