From owner-freebsd-net@FreeBSD.ORG Thu Jun 19 14:08:04 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9177937B401 for ; Thu, 19 Jun 2003 14:08:04 -0700 (PDT) Received: from manganese.bos.dyndns.org (manganese.bos.dyndns.org [66.151.188.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1F5243F3F for ; Thu, 19 Jun 2003 14:08:03 -0700 (PDT) (envelope-from tom@dyndns.org) Received: from manganese.bos.dyndns.org (tom@localhost [127.0.0.1]) h5JL82WN082787; Thu, 19 Jun 2003 17:08:02 -0400 (EDT) (envelope-from tom@dyndns.org) Received: from localhost (tom@localhost)h5JL82PR082784; Thu, 19 Jun 2003 17:08:02 -0400 (EDT) X-Authentication-Warning: manganese.bos.dyndns.org: tom owned process doing -bs Date: Thu, 19 Jun 2003 17:08:02 -0400 (EDT) From: Tom Daly X-X-Sender: tom@manganese.bos.dyndns.org To: Michael Sierchio In-Reply-To: <3EF21648.8080205@tenebras.com> Message-ID: References: <3EF21648.8080205@tenebras.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-net@freebsd.org Subject: Re: Firewall Performance Question. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jun 2003 21:08:04 -0000 Hi, On Thu, 19 Jun 2003, Michael Sierchio wrote: > Tom Daly wrote: > > > I am currently running a Dell Poweredge 350 with FreeBSD 4.7 as a network > > firewall for one of our sites. This site sees about 3 megabits of traffic. > > per some unit of time, I presume? ;-) maybe 3Mbit/s? > Yes, 3Mbits/s. > > The average firewall ruleset runs around 600-800 rules, running on IPFW. > > That's a huge number of rules -- do you have any idea what number > of packets are checked against how many rules before being accepted > or denied? A histogram would be nice.... > Most of these rules are a simple "ipfw deny all from x.x.x.x to any." Could some sort of source route to a null interface be better? > > Could this be a direct cause of why my system's interrupt usage is over > > 50% at many times, as well as sending ICMP source quenchs from time to > > time? > > > > Can anyone suggest a performance tweak to help this box along? > > Without seeing the ruleset, I'd venture a guess that IPFW2 would > help reduce the number of rules, and that a clever refactoring > (with poss. use of skipto rules) might reduce the load. > The base ruleset is about 160 rules. The box can handle this with minimal CPU load. The additional 500 rules, similar to the one above are the problem. Suggestions? Tom > > -- > > "Well," Brahma said, "even after ten thousand explanations, a fool is no > wiser, but an intelligent man requires only two thousand five hundred." > - The Mahabharata > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -- Tom Daly tom@dyndns.org Chief Infrastructure Officer Dynamic DNS Network Services http://www.dyndns.org/