Re: Firewall Performance Question.
From: Darcy Buskermolen (darcy_at_wavefire.com)
Date: 06/19/03
- Previous message: Tom Daly: "Re: Firewall Performance Question."
- In reply to: Tom Daly: "Re: Firewall Performance Question."
- Next in thread: Michael Sierchio: "Re: Firewall Performance Question."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Tom Daly <tom@dyndns.org>, Michael Sierchio <kudzu@tenebras.com> Date: Thu, 19 Jun 2003 14:43:48 -0700
You could try organizing your rules using skipto to redice the number of
rukles any packet has to travers for example...
100 skipto 1000 ip from 1.0.0.0/4 to my-ip
200 skipto 2000 ip from 128.0.0.0/4 to my ip
1000 deny ip from 24.6.76.8 to any
1001 deny ip from 65.65.26.7 to any
1999 skipto 3000 ip from any to any
2000 deny ip from 192.168.0.1 to any
2001 deny ip from 243.74.87.32 to any
2999 skipto 3000 ip form any to any
3000 allow ip form any to any
This would in effect redduce the number of rules any packet was traversing by
50%
I hope this gets your mind thinking...
On Thursday 19 June 2003 14:08, Tom Daly wrote:
> Hi,
>
> On Thu, 19 Jun 2003, Michael Sierchio wrote:
> > Tom Daly wrote:
> > > I am currently running a Dell Poweredge 350 with FreeBSD 4.7 as a
> > > network firewall for one of our sites. This site sees about 3 megabits
> > > of traffic.
> >
> > per some unit of time, I presume? ;-) maybe 3Mbit/s?
>
> Yes, 3Mbits/s.
>
> > > The average firewall ruleset runs around 600-800 rules, running on
> > > IPFW.
> >
> > That's a huge number of rules -- do you have any idea what number
> > of packets are checked against how many rules before being accepted
> > or denied? A histogram would be nice....
>
> Most of these rules are a simple "ipfw deny all from x.x.x.x to any."
> Could some sort of source route to a null interface be better?
>
> > > Could this be a direct cause of why my system's interrupt usage is over
> > > 50% at many times, as well as sending ICMP source quenchs from time to
> > > time?
> > >
> > > Can anyone suggest a performance tweak to help this box along?
> >
> > Without seeing the ruleset, I'd venture a guess that IPFW2 would
> > help reduce the number of rules, and that a clever refactoring
> > (with poss. use of skipto rules) might reduce the load.
>
> The base ruleset is about 160 rules. The box can handle this with minimal
> CPU load. The additional 500 rules, similar to the one above are the
> problem.
>
> Suggestions?
>
> Tom
>
> > --
> >
> > "Well," Brahma said, "even after ten thousand explanations, a fool is no
> > wiser, but an intelligent man requires only two thousand five hundred."
> > - The Mahabharata
> >
> > _______________________________________________
> > freebsd-net@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-net
> > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
-- Darcy Buskermolen Wavefire Technologies Corp. ph: 250.717.0200 fx: 250.763.1759 http://www.wavefire.com _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Tom Daly: "Re: Firewall Performance Question."
- In reply to: Tom Daly: "Re: Firewall Performance Question."
- Next in thread: Michael Sierchio: "Re: Firewall Performance Question."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
