Bridging Firewall Machine Questions

Ian Kaney ikaney at
Thu Jan 26 03:50:52 PST 2006

Hi there. I wonder if somebody could help me with an issue I'm experiencing.
I've put together a bridging firewall using FreeBSD 5.X. The traffic routes
through fine and presently I'm using IPFW, default policy is set to deny,
with certain rules/ports allowed to pass through. The three interfaces that
are being bridged are all gigabit speed. The server is using Intel/Broadcom
gigabit network cards. The machine that is performing the bridging is a Dual
Opteron 246 with 2GB memory.

The issue that I'm finding is that the CPU runs out of power when the links
are being hit hard. The em0 (fibre) device in particular runs at about 6%
consistently with normal traffic (~40Mbits/s) being pushed through the
bridge. This means the machine would run out of CPU power when the link was
being utilised at around ~650Mbits/s. Is this unavoidable or is this a
symptom of more CPU power being required?

I've also had problems with the bridge running out of dynamic rules. I've
raised them to silly figures however I'm always wary that if a machine had a
Trojan or some other form of malware that attempted a DoS attack, the bridge
would probably fall over after exhausting its dynamic rule count and cause
more issues. Could this be fixed perhaps by setting the default policy of
IPFW to accept, or do the dynamic rules get created anyway when bridging?

I've tried reading around the Internet and various manuals and what not but
don't seem to be getting that far with things... I've also looked at perhaps
upgrading to FreeBSD 6.X because that's got newer bridging code which might
alleviate issues, or so I've heard?

I hope somebody can help. Thanks in advance to anybody who can give me a few
pointers. Cheers.

Ian Kaney
Mail: ikaney at

More information about the freebsd-questions mailing list