> If I remember correctly he has less then 10Mbit > uplink and a lot of count rules for client accounting. > It is reason I recommend him to use userland accounting. > And as far as I understand a lot of count rules is > the reason for trouble.
I removed all the count rules a week or so ago. Now I just have 2-300 rules in the form: allow tcp from $IP to any established allow tcp from any to $IP established allow tcp from any to $IP 22,25,80,443 setup deny ip from any to $IP and I have that same set in there about 50-70 times - one for each customer IP address hat has requested it. That's it :) So each packet I get goes through about 5 rules at the front to check for bogus packets, then about 70 sets of the above until it either matches one of those, or goes out the end with the default allow rule. I _could_ put a ruleset like the above in for every customer, but then I would have about 2000 rules - so I only put them in for the customers that ask. But again, even though every day I put in more and more "special" blocks for DoS packets, every day there is some new DoS packet that I have never seen before that hits me at thousands of packets per second, and all of them flow through that entire ruleset. ----- So I am going to: a) do the thing where I specify the interface for all my allow rules - that sounds like it will help a lot - 3 out of the 4 rules in the set above are allow rules - might as well push them through as soon as they get there. b) get better at blocking bogus packets every day :) c) start getting more complicated rate shaping with ipfw to limit icmp echo response and RSTs, etc. But I still don't know if any of that helps if I get a 20,000 packet/second UDP flood to a valid port on an internal machine... To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
