Date: Thu, 17 Aug 2000 12:15:27 -0400 From: "John" <john@digitalinet.com> To: "Nate Williams" <nate@yogotech.com>, "Warner Losh" <imp@village.org> Cc: "Mike Silbersack" <silby@silby.com>, "David May" <David_May@allsolutions.com.au>, <freebsd-security@FreeBSD.ORG> Subject: Re: [Q] why does my firewall degrade Web performance? Message-ID: <000b01c00866$5ca6de20$03030303@john> References: <Pine.BSF.4.21.0008161825580.14500-100000@achilles.silby.com><200008170516.XAA09705@harmony.village.org> <200008171558.JAA23163@nomad.yogotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I recommend making sure the nic's on the machine are performing fine. I also recommend you benchmark your webserver from inside the firewall then from outside. If you can't figure anything out I recommend you try using ipfilter instead of ipfw. Thanks, John (Digitalinet Noc Engenier) "Want a free domain? Visit: www.digitalinet.com" ----- Original Message ----- From: "Nate Williams" <nate@yogotech.com> To: "Warner Losh" <imp@village.org> Cc: "Mike Silbersack" <silby@silby.com>; "David May" <David_May@allsolutions.com.au>; <freebsd-security@FreeBSD.ORG> Sent: Thursday, August 17, 2000 11:58 AM Subject: Re: [Q] why does my firewall degrade Web performance? > > : > The firewall machine CPU load is always light. It is a Pentium II Celeron > > : > 300MHz, 64Mb RAM, four Ethernet cards (3 D-Link 10/100, 1 NE2000), > > : > and around 180 ipfw rules. > > : > > : I'm not sure how fast/slow ipfw is, but 180 rules sounds like a > > : LOT. Could you get by with a few less? (Or at least try the setup with > > : no rules and the firewall box just runningas a pure router.) > > > > 180 is about normal for having multiple cards. 300MHz should be > > plenty fast enough. > > No kidding. I have 133 on my firewall, and it's a 486/66, and it keeps > up *just fine* running with a 100MB ethernet connected to a T1. > > I've never seen the box under any load average, and it's been on the net > since '93. We used a 486 for firewall in commercial products (and > would continue to do so except that you can't find them anymore). > > > > Nate > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000b01c00866$5ca6de20$03030303>