From owner-freebsd-net@FreeBSD.ORG Thu Jun 19 15:28:15 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A97537B401 for ; Thu, 19 Jun 2003 15:28:15 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 7F7E843F75 for ; Thu, 19 Jun 2003 15:28:14 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 18050 invoked from network); 19 Jun 2003 22:28:13 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 19 Jun 2003 22:28:13 -0000 Message-ID: <3EF238FC.6040005@tenebras.com> Date: Thu, 19 Jun 2003 15:28:12 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3.1) Gecko/20030425 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: Tom Daly References: <3EF21648.8080205@tenebras.com> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org Subject: Re: Firewall Performance Question. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jun 2003 22:28:15 -0000 Tom Daly wrote: >>>The average firewall ruleset runs around 600-800 rules, running on IPFW. >> >>That's a huge number of rules -- do you have any idea what number >>of packets are checked against how many rules before being accepted >>or denied? A histogram would be nice.... > > Most of these rules are a simple "ipfw deny all from x.x.x.x to any." > Could some sort of source route to a null interface be better? > > The base ruleset is about 160 rules. The box can handle this with minimal > CPU load. The additional 500 rules, similar to the one above are the > problem. I'm of the opinion that 100 rules makes for a very large ruleset. > Suggestions? So, you're incurring a huge penalty for those packets that you allow in order to deny hosts/networks explicitly. Why? What percentage of packets are denied if you let them fall through to the bottom? Also, I strongly urge you to switch to IPFW2 -- in addition to using sets you can enable or disable atomically, or switch atomically, you can do things like: #!/bin/sh # fw rules bad_guys="{ \ 61.11.0.0/19 or \ 61.144.16.0/16 or \ 61.72.248.192/26 or \ 203.248.0.0/13 or \ 210.72.224.0/24 or \ 211.71.128.0/18 or \ 211.104.0.0/13 or \ 211.112.0.0/13 or \ 211.194.117.160/27 or \ 212.45.13.0/24 or \ 217.80.0.0/13 or \ 218.144.0.0/12 \ etc. }" # people we simply are not at home for ipfw add 00700 set 0 deny ip from $bad_guys to any in recv $oif # block those Microsoft protocols ipfw add 00900 set 0 deny ip from any to any 137-139,445,568-569,1433-1434,1512,2002 in recv $oif You get the idea -- it's not just the expressiveness of the notation, but the efficiency in matching packets that helps.