Can i do this…[with pfsense]

marcelloc

You plan to just limit inbound connections or use snort?

lqlqlq

I need to restrict connections on port 27005:27051 with lenght 0:32 and 1250:65535
and limit any connections over than 3 on this ports too.
And something else for apache.
Its good option to restrict all connections for hosting machine to 500 and all over 500 - dropped.

marcelloc

You can try with current hardware but you may need more cpu and memory for 1gb.

On firewall rules, just click on advanced options and set a connection limit per ip for your rules.

lqlqlq

How much ram and how cpu can be done this for 1gbps ?
My motherboard is old and limit memory capacity to 2gb
And cpu support says this: http://www.asus.com/Motherboards/P5GPLX_SE/#support_CPU
Any suggestion about cpu from this list ? (some cpu's have HT)

And pfsense is there a options about this:

Its good option to restrict all connections for hosting machine to 500 and all over 500 - dropped.

?

marcelloc

@lqlqlq:

And pfsense is there a options about this:
Its good option to restrict all connections for hosting machine to 500 and all over 500 - dropped.

Yes, on same advanced rule option.

jasonlitka

@lqlqlq:

How much ram and how cpu can be done this for 1gbps ?
My motherboard is old and limit memory capacity to 2gb
And cpu support says this: http://www.asus.com/Motherboards/P5GPLX_SE/#support_CPU
Any suggestion about cpu from this list ? (some cpu's have HT)

And pfsense is there a options about this:

Its good option to restrict all connections for hosting machine to 500 and all over 500 - dropped.

?

Netburst-class hardware, especially not a Celeron, won't cut it for 1Gb/s.

lqlqlq

please, suggest me a hardware spec.
I have AMD Athlon x2 4200 @ 2.2ghz 90nm.
This cpu with 2gb ddr2 - Can handle with 1gbps ?

PP:
@__marcelloc__ - thanks for replies :)

marcelloc

To fight DDOS, You will need the best hardware you can buy.

Maybe a quad core with 08gb RAM is a good start.

wallabybob

@lqlqlq:

please, suggest me a hardware spec.
I have AMD Athlon x2 4200 @ 2.2ghz 90nm.
This cpu with 2gb ddr2 - Can handle with 1gbps ?

A problem with your configurations is that 1Gbps sustained into the system would fully saturate the PCI bus leaving no bandwidth for forwarding.

If the system has the slots you would be better off with two PCI-E NICs or even one PCI and one PCI-E (which is unlikely to be able to give you sustained 1Gbps throughput but should do better than the two PCI NICs if the CPU is sufficiently capable).

Adding cores doesn't help with basic firewallling (which is currently single threaded) but would help if you have a significant application load (squid? snort?).

Throughput is highly dependent on packet size. A CPU capable of 1Gbps throughput in 1500 byte packets might struggle to give 200Mpbs in 100 byte packets.

I suggest you start wit one of your systems and monitor it and run some benchmarks with something like your expected load., then tweak as necessary and as you have money. But remember there is more to getting better performance than faster CPUs or more CPUs.

stephenw10

I have to say that you are trying to mitigate a DDOS attack at the wrong end of your connection. It doesn't matter how good at filtering your firewall is if an attacker can hit you with more than 100Mbps of traffic it's going to fill your connection.

Steve