Date: Wed, 19 Sep 2001 03:33:49 -0500 From: Bill Fumerola <billf@mu.org> To: Anthony Schneider <aschneid@mail.slc.edu>, "Marc G. Fournier" <scrappy@hub.org> Cc: freebsd-security@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: ipfw problems ... Message-ID: <20010919033349.X826@elvis.mu.org> In-Reply-To: <20010919000534.A83486@mail.slc.edu>; from aschneid@mail.slc.edu on Wed, Sep 19, 2001 at 12:05:34AM -0400 References: <20010918134410.P87162-100000@atelier.acadiau.ca> <20010918230726.M30377-100000@mail1.hub.org> <20010919000534.A83486@mail.slc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 19, 2001 at 12:05:34AM -0400, Anthony Schneider wrote: > it might have something to do with the prereleasenature of the machine. > -Anthony. No it has nothing to do with -PRERELEASE. ipfw by any other name is ipfw. > On Tue, Sep 18, 2001 at 11:14:50PM -0400, Marc G. Fournier wrote: > > > > I ended up re-starting the machine with fw set to open, and loaded a few > > rules at a time ... got up to 747 rules before the machine pretty much > > ground to a halt, with the occasional keystroke going through ... > > > > ~900 or so of the rules are purely 'pass thru' rules ... we have two > > connections to the internet ... one that costs us nothing, and one that > > costs us quite dearly ... we want to allow all traffic that goes to sites > > on the 'costs us nothing' network to go through unimpeded, while that > > which goes through the 'costs us quite dearly' to be 'shaped' ... th ~900 > > rules are the ones that define those b-class networks that are on the > > 'costs us nothing' network ... > > > > I'm not seeing any errors on the console to indicate a problem, it just > > slowly grinds to a halt ... is there a setting in the kernel, or > > somewhere, that I should be setting to allow fur such a high number of > > rules, or is it just not possible to do more then a few hundred? :( as others have noted, if your critical path (that is, the path that the bulk of your traffic takes) is 700 rules, your technique is flawed. I've also seen various suggestions (skipto, mostly) on how to shorten your ruleset list walking... in any case, to answer your question of what happens as more rules are added: http://people.freebsd.org/~billf/bsdcon2000/presentation/graphics/ has a few of the graphics I used in my presentation to show what happens to ipfw as you add more rules in the critical path. different types of rules are effected differently (and can be optimized differently, but thats a whole different story) but they all show the same curve of poorer performance. 'old {TCP,UDP}' is an ipfw similar to what 4.4-PRERELEASE would have. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010919033349.X826>