Messages

Has anyone experienced a small or medium level DDoS attack ? Please share your experiences. Today i ran an inhouse DDoS simulation and an i7 , quad core with 8 Gig of RAM boped in :) Though the device knew a TCP/UDP DDoS was under way.

That is fine Bill and I'll remember your name  8) . One can always turn it on and off from the interface or via shell but i was just curious about knowing why it was turned out by default. If a user wishes to use IPSec then he can always disable it be default right? There are upto 95% packet rate forwarding performance improvements with ip fast forwards.

Thanks!

Thank you Pheonix! Let me check the findings from Olivier. Did you encounter IPSec breaking when enabled ? Any findings that you can share with me?

Hey mate "franco",

Why is net.inet.ip.fastforwarding disabled by default? Does has got something to do with the 64bit kernel driver offsets or downgrades the performance on amd64? Please clarify as per your tests mate.

Thanks.

Hey guys,

I tried to replicate this and didnt see the bug. The VIP shows up fine on the interface too . What am i missing here?

No worries matey and thanks for digging into it. Ill grab the raw util.inc  and rebuild to see if the netstat issue has gone away once you push the final changes after testing to the github.

Cheers.

Here it is Franco. These are the three steps you can try to replicate the problem.

So for development branches, a fresh pull of ports git will do the job? What exactly is changed with the 15.7.4? I can just get that component and rebuild the test images without losing changes to my testing trees.

But then again, i can always do freebsd-update fetch and install on the development machine to get the pacthes anyway right Franco?

Hey bud,

Try to replicate this.

1. Create a VLAN
2. Assign Interface
3. Select the newly created interface "use logical name instead of VLAN primary from dropdown"
4. Click Apply

*Boom* OS dies completely, wont' reboot, won't let you reset to factory defaults. I tested three times with new installation testing and all came out with the same result.

OPNSense is purely based on FreeBSD and its hardened version aka HardenedBSD which Franco is a part of :) . FreeBSD has its advantages just like OpenBSD does. True OpenBSD ran into Power bill funding requirements then request for funding to make PF SMP capable. But look at the history. They proudly advertise it on their website "Only two remote holes in the default install, in a heck of a long time!" Running OpenBSD for website hosting / co-location is ideal and so is their firewall. You will only need SMP if you go whacko with the traffic loads. Even non-SMP , OpenBSD's pf does a pretty well job. The top notch OpenSSL along-with few critical components that make the Internet came from OpenBSD.

With FreeBSD, you get more control and more support + documentation but then again its all a matter of choice. OPNSense using FreeBSD is best because its foundation came all the way back from m0n0wall. Plus, third party support is more in packages. For example, i wanted to have an ERP deployed on a secure OS foundation and there was FreeBSD package available on ERP website. So i had to build it from source over OpenBSD to get it going which took me an hour or two.

Like i said, its all about choices. Whatever suits you. Everyone has tried their level best to make their brand / project as successful as possible.

Hello,

There is one thing that you have to keep in mind and most users overlook that fact of active v/s passive ethernet chips/cards. If you have realtek or other passive card then your CPU will get even busier with the traffic forwarding. There is also one thing to note here and that is realtime process usage. When you access the GUI then of coruse php-cgi will show higher load. The best bet would be to check your RRD graph average over time.

I didn't see process hungry Suricata or any other service so i assume that you only use the IP/DNS Masquerading with firewall component.

Do a "top -SH" to find out which process is the culprit.

What Franco is trying to say is, OpenSSL became a headache for maintainers after a sudden burst of several critical vulnerabilities . So the apparent long term fix was forking and coming up with LibreSSL . :)

Hey my friend. Its a success. Running custom kernel in tests with different tuned variables. I will post the results later after intensive lab testing. Thanks for your guidance. All credit goes to you Franco. You da man !

Nope. It wasn't that. It was the wrong work dir that i had set. Now set to "latest" instead of "15.7" Crap! :D