From owner-freebsd-security Wed Sep 19 1:33:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 9326137B41E; Wed, 19 Sep 2001 01:33:49 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1098) id 6CAE081D01; Wed, 19 Sep 2001 03:33:49 -0500 (CDT) Date: Wed, 19 Sep 2001 03:33:49 -0500 From: Bill Fumerola To: Anthony Schneider , "Marc G. Fournier" Cc: freebsd-security@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: ipfw problems ... Message-ID: <20010919033349.X826@elvis.mu.org> References: <20010918134410.P87162-100000@atelier.acadiau.ca> <20010918230726.M30377-100000@mail1.hub.org> <20010919000534.A83486@mail.slc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010919000534.A83486@mail.slc.edu>; from aschneid@mail.slc.edu on Wed, Sep 19, 2001 at 12:05:34AM -0400 X-Operating-System: FreeBSD 4.4-FEARSOME-20010909 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Sep 19, 2001 at 12:05:34AM -0400, Anthony Schneider wrote: > it might have something to do with the prereleasenature of the machine. > -Anthony. No it has nothing to do with -PRERELEASE. ipfw by any other name is ipfw. > On Tue, Sep 18, 2001 at 11:14:50PM -0400, Marc G. Fournier wrote: > > > > I ended up re-starting the machine with fw set to open, and loaded a few > > rules at a time ... got up to 747 rules before the machine pretty much > > ground to a halt, with the occasional keystroke going through ... > > > > ~900 or so of the rules are purely 'pass thru' rules ... we have two > > connections to the internet ... one that costs us nothing, and one that > > costs us quite dearly ... we want to allow all traffic that goes to sites > > on the 'costs us nothing' network to go through unimpeded, while that > > which goes through the 'costs us quite dearly' to be 'shaped' ... th ~900 > > rules are the ones that define those b-class networks that are on the > > 'costs us nothing' network ... > > > > I'm not seeing any errors on the console to indicate a problem, it just > > slowly grinds to a halt ... is there a setting in the kernel, or > > somewhere, that I should be setting to allow fur such a high number of > > rules, or is it just not possible to do more then a few hundred? :( as others have noted, if your critical path (that is, the path that the bulk of your traffic takes) is 700 rules, your technique is flawed. I've also seen various suggestions (skipto, mostly) on how to shorten your ruleset list walking... in any case, to answer your question of what happens as more rules are added: http://people.freebsd.org/~billf/bsdcon2000/presentation/graphics/ has a few of the graphics I used in my presentation to show what happens to ipfw as you add more rules in the critical path. different types of rules are effected differently (and can be optimized differently, but thats a whole different story) but they all show the same curve of poorer performance. 'old {TCP,UDP}' is an ipfw similar to what 4.4-PRERELEASE would have. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message