Josh Brooks wrote:
> I removed all the count rules a week or so ago. Now I just have 2-300
> rules in the form:
>
> allow tcp from $IP to any established
> allow tcp from any to $IP established
> allow tcp from any to $IP 22,25,80,443 setup
> deny ip from any to $IP
>
> and I have that same set in there about 50-70 times - one for each
> customer IP address hat has requested it. That's it :)
You have got to be frigging kidding...
Q1) Are all customers "who have requested it" running the
same rule set?
Q2) Have you ever head of "skipto"?
> So each packet I get goes through about 5 rules at the front to check for
> bogus packets, then about 70 sets of the above until it either matches one
> of those, or goes out the end with the default allow rule.
No, each packet goes through 2-300 rules at the front, in which
the IP address does not match and the rule does not take effect.
Ugh.
1) Seperate inbound and outbound, per what Nate told you.
2) Have a rule for the IP... preferrable for a block of
them, instead of one per IP
3) Skip to a common rule set
4) Be happy
PS: I still think that if your CPU pegs, you've got a loop in there
somewhere. Most common case is a "reject" or "deny". Try changing
all of them to "drop", instead, and see if that "fixes" it.
-- Terry
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
