From owner-freebsd-security Thu Aug 17 9: 0:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 4807C37B6E6 for ; Thu, 17 Aug 2000 09:00:01 -0700 (PDT) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id JAA16056; Thu, 17 Aug 2000 09:59:29 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id JAA23163; Thu, 17 Aug 2000 09:58:36 -0600 (MDT) (envelope-from nate) Date: Thu, 17 Aug 2000 09:58:36 -0600 (MDT) Message-Id: <200008171558.JAA23163@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Warner Losh Cc: Mike Silbersack , David May , freebsd-security@FreeBSD.ORG Subject: Re: [Q] why does my firewall degrade Web performance? In-Reply-To: <200008170516.XAA09705@harmony.village.org> References: <200008170516.XAA09705@harmony.village.org> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > : > The firewall machine CPU load is always light. It is a Pentium II Celeron > : > 300MHz, 64Mb RAM, four Ethernet cards (3 D-Link 10/100, 1 NE2000), > : > and around 180 ipfw rules. > : > : I'm not sure how fast/slow ipfw is, but 180 rules sounds like a > : LOT. Could you get by with a few less? (Or at least try the setup with > : no rules and the firewall box just runningas a pure router.) > > 180 is about normal for having multiple cards. 300MHz should be > plenty fast enough. No kidding. I have 133 on my firewall, and it's a 486/66, and it keeps up *just fine* running with a 100MB ethernet connected to a T1. I've never seen the box under any load average, and it's been on the net since '93. We used a 486 for firewall in commercial products (and would continue to do so except that you can't find them anymore). Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message