Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 14 Feb 2007 18:36:25 +0300
From:      Vladimir Kapustin <msgs_for_me@mail.ru>
To:        freebsd-pf@freebsd.org
Cc:        freebsd-isp@FreeBSD.ORG, freebsd-net@freebsd.org, freebsd-performance@FreeBSD.ORG
Subject:   How to optimize ruleset for gateway?
Message-ID:  <1024498861.20070214183625@mail.ru>
next in thread | raw e-mail | index | archive | help 
Hi, all!

I have such a problem when configuring the gateway for my LAN:

I want to minimize the number of rules, and for this purpose I chose PF,
but, as I wrote earlyer: 
http://lists.freebsd.org/pipermail/freebsd-pf/2007-January/002958.html
and found some mails of other people:
http://lists.freebsd.org/pipermail/freebsd-pf/2006-October/002681.html
if I want to configure connection speed for each user on PF, I must
configure the number of queues equal to the number of users, i.e. if I
configure one queue and allow the table of users go to the Internet through
this queue, I see, that all of them share the bandwidth of this queue.

I don't think this is a good idea, and now I choosing some other
variants of optimization, such as:

1. Configure PF for major rules and SPAM filtering and IPFW+DUMMYNET for
queueing. I've read somewhere, that IPFW-shaper supports tables the way I
need. I'm afraid that two firewalls should significantly decrease perfomance.

2. Configure only IPFW. But this means that I have to read full documentation
about it, and find the way to protect the Internet from SPAM going from my 
local NET.

The ruleset looks like:
0. Binat for real IP.
1. Block NetBIOS
2. Pass all from table-1
3. Pass all from table-128kbps queue 1(128kbps)
4. .....................
5. Pass all from table-1024kbps queue 4(1024kbps)
6. Some spam-protection tool (like spamd)
7. Block all

Could somebody give me some advice what way to go?

P.S. Now my gateway works on 2-processor Xeon router with Redhat and iptables.
It has 100 Mbps Internet channel, and in the time of maximum charge it
processes 10-20 kpps.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1024498861.20070214183625>