Date: Thu, 19 Jun 2003 17:08:02 -0400 (EDT) From: Tom Daly <tom@dyndns.org> To: Michael Sierchio <kudzu@tenebras.com> Cc: freebsd-net@freebsd.org Subject: Re: Firewall Performance Question. Message-ID: <Pine.BSF.4.53.0306191701320.71421@manganese.bos.dyndns.org> In-Reply-To: <3EF21648.8080205@tenebras.com> References: <Pine.BSF.4.53.0306191542190.71421@manganese.bos.dyndns.org> <3EF21648.8080205@tenebras.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Thu, 19 Jun 2003, Michael Sierchio wrote: > Tom Daly wrote: > > > I am currently running a Dell Poweredge 350 with FreeBSD 4.7 as a network > > firewall for one of our sites. This site sees about 3 megabits of traffic. > > per some unit of time, I presume? ;-) maybe 3Mbit/s? > Yes, 3Mbits/s. > > The average firewall ruleset runs around 600-800 rules, running on IPFW. > > That's a huge number of rules -- do you have any idea what number > of packets are checked against how many rules before being accepted > or denied? A histogram would be nice.... > Most of these rules are a simple "ipfw deny all from x.x.x.x to any." Could some sort of source route to a null interface be better? > > Could this be a direct cause of why my system's interrupt usage is over > > 50% at many times, as well as sending ICMP source quenchs from time to > > time? > > > > Can anyone suggest a performance tweak to help this box along? > > Without seeing the ruleset, I'd venture a guess that IPFW2 would > help reduce the number of rules, and that a clever refactoring > (with poss. use of skipto rules) might reduce the load. > The base ruleset is about 160 rules. The box can handle this with minimal CPU load. The additional 500 rules, similar to the one above are the problem. Suggestions? Tom > > -- > > "Well," Brahma said, "even after ten thousand explanations, a fool is no > wiser, but an intelligent man requires only two thousand five hundred." > - The Mahabharata > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -- Tom Daly tom@dyndns.org Chief Infrastructure Officer Dynamic DNS Network Services http://www.dyndns.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.53.0306191701320.71421>