The average firewall ruleset runs around 600-800 rules, running on IPFW.
That's a huge number of rules -- do you have any idea what number of packets are checked against how many rules before being accepted or denied? A histogram would be nice....
Most of these rules are a simple "ipfw deny all from x.x.x.x to any." Could some sort of source route to a null interface be better?
The base ruleset is about 160 rules. The box can handle this with minimal CPU load. The additional 500 rules, similar to the one above are the problem.
I'm of the opinion that 100 rules makes for a very large ruleset.
Suggestions?
So, you're incurring a huge penalty for those packets that you allow in order to deny hosts/networks explicitly. Why? What percentage of packets are denied if you let them fall through to the bottom?
Also, I strongly urge you to switch to IPFW2 -- in addition to using sets you can enable or disable atomically, or switch atomically, you can do things like:
#!/bin/sh
# fw rules
bad_guys="{ \
61.11.0.0/19 or \
61.144.16.0/16 or \
61.72.248.192/26 or \
203.248.0.0/13 or \
210.72.224.0/24 or \
211.71.128.0/18 or \
211.104.0.0/13 or \
211.112.0.0/13 or \
211.194.117.160/27 or \
212.45.13.0/24 or \
217.80.0.0/13 or \
218.144.0.0/12 \etc. }"
# people we simply are not at home for ipfw add 00700 set 0 deny ip from $bad_guys to any in recv $oif
# block those Microsoft protocols ipfw add 00900 set 0 deny ip from any to any 137-139,445,568-569,1433-1434,1512,2002 in recv $oif
You get the idea -- it's not just the expressiveness of the notation, but the efficiency in matching packets that helps.
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
