Can i do this…[with pfsense]



  • Hello and greetins from Bulgaria.
    Im planning to build a pfsense firewall to only for me (for one computer - like hardware firewall)
    I have this specs:
    Celeron D 330J socket 775 (one core with 2.66ghz/256kb l2 cache)
    Asus P5GPLX_SE (3x PCI, 1x PCI-e)
    2xDual Gigabit lan (PCI):
    intel GT
    intel MT
    160GB WD Blue
    2x512mb ddr 400

    I need to use this build to protect for udp/tcp ddos with 1gbps (apache and hlds (counter-strike) servers)
    My plan is:
    The Ethernet cable will exiting from media converter and pass in Intel GT 1000 lan and exitting from MT (1000) and going to my hosting machine with
    HP Server card (PCI-E) slot (gigabit)]
    I have direct VLAN with 100mbps bulgarian peering, but im planning to get 1gbps link in future…

    Is this possible?
    Im new with that and sorry for my language.
    Thanks for any answers..



  • You plan to just limit inbound connections or use snort?



  • I need to restrict connections on port 27005:27051 with lenght 0:32 and 1250:65535
    and limit any connections over than 3 on this ports too.
    And something else for apache.
    Its good option to restrict all connections for hosting machine to 500 and all over 500 - dropped.



  • You can try with current hardware but you may need more cpu and memory for 1gb.

    On firewall rules, just click on advanced options and set a connection limit per ip for your rules.



  • How much ram and how cpu can be done this for 1gbps ?
    My motherboard is old and limit memory capacity to 2gb
    And cpu support says this: http://www.asus.com/Motherboards/P5GPLX_SE/#support_CPU
    Any suggestion about cpu from this list ? (some cpu's have HT)

    And pfsense is there a options about this:

    Its good option to restrict all connections for hosting machine to 500 and all over 500 - dropped.

    ?



  • @lqlqlq:

    And pfsense is there a options about this:
    Its good option to restrict all connections for hosting machine to 500 and all over 500 - dropped.

    Yes, on same advanced rule option.



  • @lqlqlq:

    How much ram and how cpu can be done this for 1gbps ?
    My motherboard is old and limit memory capacity to 2gb
    And cpu support says this: http://www.asus.com/Motherboards/P5GPLX_SE/#support_CPU
    Any suggestion about cpu from this list ? (some cpu's have HT)

    And pfsense is there a options about this:

    Its good option to restrict all connections for hosting machine to 500 and all over 500 - dropped.

    ?

    Netburst-class hardware, especially not a Celeron, won't cut it for 1Gb/s.



  • please, suggest me a hardware spec.
    I have AMD Athlon x2 4200 @ 2.2ghz 90nm.
    This cpu with 2gb ddr2 - Can handle with 1gbps ?

    PP:
    @marcelloc - thanks for replies :)



  • To fight DDOS, You will need the best hardware you can buy.

    Maybe a quad core with 08gb RAM is a good start.



  • @lqlqlq:

    please, suggest me a hardware spec.
    I have AMD Athlon x2 4200 @ 2.2ghz 90nm.
    This cpu with 2gb ddr2 - Can handle with 1gbps ?

    A problem with your configurations is that 1Gbps sustained into the system would fully saturate the PCI bus leaving no bandwidth for forwarding.

    If the system has the slots you would be better off with two PCI-E NICs or even one PCI and one PCI-E (which is unlikely to be able to give you sustained 1Gbps throughput but should do better than the two PCI NICs if the CPU is sufficiently capable).

    Adding cores doesn't help with basic firewallling (which is currently single threaded) but would help if you have a significant application load (squid? snort?).

    Throughput is highly dependent on packet size. A CPU capable of 1Gbps throughput in 1500 byte packets might struggle to give 200Mpbs in 100 byte packets.

    I suggest you start wit one of your systems and monitor it and run some benchmarks with something like your expected load., then tweak as necessary and as you have money. But remember there is more to getting better performance than faster CPUs or more CPUs.


  • Netgate Administrator

    I have to say that you are trying to mitigate a DDOS attack at the wrong end of your connection. It doesn't matter how good at filtering your firewall is if an attacker can hit you with more than 100Mbps of traffic it's going to fill your connection.

    Steve


Log in to reply