I am looking for comments and suggestions regarding the merits of purpose-built, appliance style firewalls (like a netscreen or Cisco PIX) vs. running ipfw on a commodity server running FreeBSD. I am interested only in packet filtering and rate limiting performance - NOT in VPNs or IPsec/crypto considerations. --- Currently, I run a FreeBSD firewall running ipfw (500 mhz celeron, 256 mags ram). This machine does nothing - runs no services but ssh, and simply sits at my network border doing packet filtering. I have a lot of hosts (four /24s - about 500 active IPs) behind this firewall, and generally push 5-7 megabits/s. Sometimes it can go as high as 12. The point is, the box is always fine and I am happy with it. Recently I have started getting more and more DoS and DDoS attacks. They range from very simple syn floods to ICMP echo floods to very odd UDP floods. The problem I am running into is simply that my firewall CPU chokes. It is not because the traffic is high - the line does not become saturdated, and sometimes total traffic can be less than 5 megabits/s - BUT the packets/s count goes way up (sometimes by a factor of 50) and because all of these packets have to go through my entire ruleset, the firewalls CPU chokes. It does not crash, it simply stops forwarding any traffic, effectively blackholing my entire network. As soon as the attack is stopped, the firewall is fine. --- I have responded by doing a ton of research, testing, reading ... and so on. Blocking obviously bad packets, rate limiting ICMP echo responses, rate limiting TCP RSTs - I admit I have a long way to go before I exhaust the bags of tricks that people have to improve their FreeBSD+ipfw firewalls. But every time I improve the ruleset, something new comes along - something that gets through the nets and once again, I have some weird attack at 12-15K packets/second traversing all 400 of my firewall rules (because they don't match anything until the end when they are allowed through) and choking my firewall up. It is very frustrating because the attacks are small in terms of bandwidth - never more than 10 megabits/s. It is simply too many packets/s and not a sophisticated enough ruleset to keep the high-rate garbage from traversing every rule. --- So my questions are as follows: 1. Am I wasting my time trying to make my FreeBSD+ipfw firewall more resilient and sophisticated ? Again, I have probably only scratched the surface, but let's say I emerge from my office 12 months from now having memorized the ipfw source code and having learned _everything_ there is to learn about this problem - will I simply conclude that FreeBSD+ipfw is not good enough and I just need to go get an appliance ? 2. I happen to like a host-based firewall (a firewall running on a normal user OS like FreeBSD) better than an appliance. You get to do anything you need with it, you have a full compliment of unix tools like grep and awk and tcpdump and expect, etc. - it seems like you have more control. Assuming (for a moment) that performance were equal, does anyone else feel this way ? Does anyone else prefer a normal system for a firewall over, say, a PIX ? 3. I am not that high profile ... but what do the high profile (shell servers like foonet and EFnet irc server operators) people use ? Would any of those people consider even for a moment using a FreeBSD+ipfw system for their packet filtering and rate shaping ? I just want to know if I should give up now and shell out a few grand for an appliance, or if it is reasonable for me to attempt to protect a network of my size. Thank you very much.