Date: Thu, 08 Aug 2002 10:45:00 +0200 From: "Roger 'Rocky' Vetterberg" <listsub@rambo.simx.org> To: Patrick Thomas <root@utility.clubscholarship.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: need tunings for a loaded freeBSD firewall Message-ID: <3D522F8C.8060605@rambo.simx.org> References: <20020807135406.O28830-100000@utility.clubscholarship.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Patrick Thomas wrote: > Hello, > > My firewall is: > > CPU: Pentium III/Pentium III Xeon/Celeron (631.29-MHz 686-class CPU) > > and it is running 4.4-RELEASE. I have made no special tunings to this > system other than rebuilding the kernel with superfluous things like USB > and PCMCIA removed. > > The firewall has two interfaces and handles about 2megabits/second of > traffic on average. Recently, for reasons I cannot discern, it is choking > on traffic. Most ftp transfers run at 5-8 Kb/s (as opposed to 300-500 K) > and pings with large packet sizes drop a lot of packets. > > Small (normal) pings and general interactive response seem to be ok, but > again, file transfers are horrible, and pings with large sizes drop a lot > of packets. > > When I first noticed the problem, I had roughly 400 ipfw rules loaded > (almost all of them "count" rules for different IPs) and when I ran > netstat -m, it told me 75% of mb_map in use > > Now I have rebooted the firewall, and only a small number of ipfw rules > are in place, and immediately after booting, it says 51% of mb_map in use. > > BUT, at no time were any requests for memory denied, or delayed, and there > have been no protocol drain routines called for. This is what netstat -m > looks like about 10 mins after booting: > > # netstat -m > 360/624/2304 mbufs in use (current/peak/max): > 360 mbufs allocated to data > 244/370/576 mbuf clusters in use (current/peak/max) > 896 Kbytes allocated to network (51% of mb_map in use) > 0 requests for memory denied > 0 requests for memory delayed > 0 calls to protocol drain routines > > > So .... any suggestions ? What are the general tunings that should be > done to a simple FreeBSD firewall (again, I have done nothing but remove > things like USB from the kernel) > > Also, do the problems I describe seem consistent with the netstat -m I > have pasted here ? > > Any help/comments appreciated. > > --pt What kind of nic's do you use? I had similar problems with a firewall, allthough it had a much higher throughput then 2MBit/s. I solved it by rewriting some ipfw rules and change nic's. When switching the 3Com 905's to a couple of Intel Etherexpress Pro 10/100 the performance increased and the load on the machine decreased. -- R To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D522F8C.8060605>