Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 18 Aug 2000 12:48:40 -0400
From:      Bill Fumerola <billf@chimesnet.com>
To:        Jim Sander <jim@federation.addy.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: [Q] why does my firewall degrade Web performance?
Message-ID:  <20000818124839.R65562@jade.chc-chimes.com>
In-Reply-To: <Pine.BSF.4.10.10008181211590.3414-100000@federation.addy.com>; from jim@federation.addy.com on Fri, Aug 18, 2000 at 12:32:44PM -0400
References:  <Pine.BSF.4.10.10008180932120.25370-100000@bsdie.rwsystems.net> <Pine.BSF.4.10.10008181211590.3414-100000@federation.addy.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, Aug 18, 2000 at 12:32:44PM -0400, Jim Sander wrote:

>    We run a firewall with about 3000 rules- used mainly for bandwidth
> tracking purposes. The highest load average I ever see is about .1 (when
> the bandwidth tracking scripts update our database) but the telling
> numbers are this line from "top" but also available in other utilities
> like iostat, etc.
> 
> > CPU states: 0.0% user, 0.0% nice, 0.0% system, 40.5% interrupt, 59.5%idle
> 
>    The interrupt load on that machine is about 10 or 20 times higher than
> on any of the machines behind the wall. (which of course makes perfect
> sense) The hardware is a 400MHz Celeron- slowest thing we could find at
> the time, 64MB RAM, 100MB NIC, connected to a dual T1 through an etinc
> interface. (in other words it's a router-firewall in one box) The software
> is FreeBSD 3.3R and ipfw.
> 
>    I've never had trouble with slow browsing from the outside, even during
> heavy use periods. (although to be honest we've never fully maxxed our
> connection out) YMMV, but I'd say that the problems described would be a
> duplex-mismatch or other oddball thing. Firwalling just isn't that hard on
> the CPU, a Cisco 2500 is like a 68030- right?

ipfw with that many rules _is_ slow and will eat interrupt CPU as you see there.

you might want to consolidate your rules, unless you're using skipto.

-- 
Bill Fumerola - Network Architect, BOFH / Chimes, Inc.
                billf@chimesnet.com / billf@FreeBSD.org





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000818124839.R65562>