我们来探讨如何用MONO抗ddos - 第2页 - Linux、BSD、Unix - 自由的生活_软路由

analyst 发表于 2005-5-9 13:41:44

好在fxp、rl、vr这些都还算比较好找。楼上也是牛人，大家赶快pm问问题啊。

su30fly 发表于 2005-5-9 18:51:34

14楼的高手请问一个问题:开了polling后对于抗ddos有什么好处吗?

loser1234 发表于 2005-5-9 22:51:09

好像需要打那个ipf＋ipfw的patch。。

edwardj 发表于 2005-5-9 22:54:44

一些建议：ddos 的时候看看内核的 mbuf，mbuf 耗尽的话系统就不会接受/发起任何连接了root@gw2:~/>#netstat -m514/1728/7040 mbufs in use (current/peak/max): 514 mbufs allocated to data512/1384/1760 mbuf clusters in use (current/peak/max)3200 Kbytes allocated to network (60% of mb_map in use)0 requests for memory denied0 requests for memory delayed0 calls to protocol drain routines必要的话加大内核的 mbufs。root@gw2:~/>#sysctl -a | grep mbufskern.ipc.nmbufs: 7040这是偶机器上系统的默认值。不过 mbuf 在运行中是不能修改的，要改的话需要修改 /etc/sysctl.conf打开 polling，降低 cpu 占用；这个要重做内核，且需要网卡驱动支持打开 ipnat 的 LARGE_NAT，在 ipf 包的 ipnat.h 中，重新编译。偶不知道 m0n0 有没有打开这个

CODE
root@gw2:/usr/src/sys/contrib/ipfilter/netinet/>#grep -in large_nat *h ip_nat.h:30:#undef LARGE_NAT /* define this if you're setting up a system to NATip_nat.h:38:# ifdef LARGE_NATip_nat.h:45:# ifdef LARGE_NATip_nat.h:52:# ifdef LARGE_NATip_nat.h:59:# ifdef LARGE_NATip_nat.h:66:# ifdef LARGE_NATroot@gw2:/usr/src/sys/contrib/ipfilter/netinet/>#head -50 ip_nat.h | tail -21#undefLARGE_NAT /* define this if you're setting up a system to NAT * LARGE numbers of networks/hosts - i.e. in the * hundreds or thousands.In such a case, you should * also change the RDR_SIZE and NAT_SIZE below to more * appropriate sizes.The figures below were used for * a setup with 1000-2000 networks to NAT. */#ifndef NAT_SIZE# ifdef LARGE_NAT#define NAT_SIZE 2047# else#define NAT_SIZE 127# endif#endif#ifndef RDR_SIZE# ifdef LARGE_NAT#define RDR_SIZE 2047# else#define RDR_SIZE 127# endif#endif

su30fly 发表于 2005-5-10 21:50:38

既然要在freebsd下编译,哪还要M0N0WALL_NET45XX这个配置文件干什么?m0n0下载地址:http://m0n0.ch/wall/downloads里的 net45xx-1.2b7.img 和generic-pc-1.2b7.img这2个镜像有什么区别?

analyst 发表于 2005-5-10 22:30:13

img文件不是你需要的，建议看handbook。

页: 1 [2]

自由的生活_软路由's Archiver