Date: Thu, 19 Jun 2003 13:00:08 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: Tom Daly <tom@dyndns.org> Cc: freebsd-net@freebsd.org Subject: Re: Firewall Performance Question. Message-ID: <3EF21648.8080205@tenebras.com> In-Reply-To: <Pine.BSF.4.53.0306191542190.71421@manganese.bos.dyndns.org> References: <Pine.BSF.4.53.0306191542190.71421@manganese.bos.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Tom Daly wrote:
> I am currently running a Dell Poweredge 350 with FreeBSD 4.7 as a network
> firewall for one of our sites. This site sees about 3 megabits of traffic.
per some unit of time, I presume? ;-) maybe 3Mbit/s?
> The average firewall ruleset runs around 600-800 rules, running on IPFW.
That's a huge number of rules -- do you have any idea what number
of packets are checked against how many rules before being accepted
or denied? A histogram would be nice....
> Could this be a direct cause of why my system's interrupt usage is over
> 50% at many times, as well as sending ICMP source quenchs from time to
> time?
>
> Can anyone suggest a performance tweak to help this box along?
Without seeing the ruleset, I'd venture a guess that IPFW2 would
help reduce the number of rules, and that a clever refactoring
(with poss. use of skipto rules) might reduce the load.
--
"Well," Brahma said, "even after ten thousand explanations, a fool is no
wiser, but an intelligent man requires only two thousand five hundred."
- The Mahabharata
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EF21648.8080205>