From owner-freebsd-net@FreeBSD.ORG Thu Jun 19 23:39:56 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB35A37B401 for ; Thu, 19 Jun 2003 23:39:56 -0700 (PDT) Received: from manganese.bos.dyndns.org (manganese.bos.dyndns.org [66.151.188.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0987943F3F for ; Thu, 19 Jun 2003 23:39:56 -0700 (PDT) (envelope-from tom@dyndns.org) Received: from manganese.bos.dyndns.org (tom@localhost [127.0.0.1]) h5K6dtWN061905; Fri, 20 Jun 2003 02:39:55 -0400 (EDT) (envelope-from tom@dyndns.org) Received: from localhost (tom@localhost)h5K6dsb3061897; Fri, 20 Jun 2003 02:39:55 -0400 (EDT) X-Authentication-Warning: manganese.bos.dyndns.org: tom owned process doing -bs Date: Fri, 20 Jun 2003 02:39:54 -0400 (EDT) From: Tom Daly X-X-Sender: tom@manganese.bos.dyndns.org To: Michael Sierchio In-Reply-To: <3EF238FC.6040005@tenebras.com> Message-ID: References: <3EF238FC.6040005@tenebras.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-net@freebsd.org Subject: Re: Firewall Performance Question. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jun 2003 06:39:57 -0000 Hi Mike, Its looks like this will make a big difference to us. I will take a look at setting up a test bed to get IPFW2 going. Thanks to everyone, Tom On Thu, 19 Jun 2003, Michael Sierchio wrote: > Tom Daly wrote: > > >>>The average firewall ruleset runs around 600-800 rules, running on IPFW. > >> > >>That's a huge number of rules -- do you have any idea what number > >>of packets are checked against how many rules before being accepted > >>or denied? A histogram would be nice.... > > > > Most of these rules are a simple "ipfw deny all from x.x.x.x to any." > > Could some sort of source route to a null interface be better? > > > > The base ruleset is about 160 rules. The box can handle this with minimal > > CPU load. The additional 500 rules, similar to the one above are the > > problem. > > I'm of the opinion that 100 rules makes for a very large > ruleset. > > > Suggestions? > > So, you're incurring a huge penalty for those packets that you > allow in order to deny hosts/networks explicitly. Why? What > percentage of packets are denied if you let them fall through to > the bottom? > > > Also, I strongly urge you to switch to IPFW2 -- in addition to > using sets you can enable or disable atomically, or switch > atomically, you can do things like: > > #!/bin/sh > > # fw rules > > bad_guys="{ \ > 61.11.0.0/19 or \ > 61.144.16.0/16 or \ > 61.72.248.192/26 or \ > 203.248.0.0/13 or \ > 210.72.224.0/24 or \ > 211.71.128.0/18 or \ > 211.104.0.0/13 or \ > 211.112.0.0/13 or \ > 211.194.117.160/27 or \ > 212.45.13.0/24 or \ > 217.80.0.0/13 or \ > 218.144.0.0/12 \ > > etc. > }" > > # people we simply are not at home for > ipfw add 00700 set 0 deny ip from $bad_guys to any in recv $oif > > # block those Microsoft protocols > ipfw add 00900 set 0 deny ip from any to any 137-139,445,568-569,1433-1434,1512,2002 in recv $oif > > You get the idea -- it's not just the expressiveness of the > notation, but the efficiency in matching packets that helps. > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -- Tom Daly tom@dyndns.org Chief Infrastructure Officer Dynamic DNS Network Services http://www.dyndns.org/