From owner-freebsd-security  Thu Aug 17  9:15: 8 2000
Delivered-To: freebsd-security@freebsd.org
Received: from digitalinet.com (digitalinet.com [216.65.124.130])
	by hub.freebsd.org (Postfix) with SMTP id 8AB9737B798
	for <freebsd-security@FreeBSD.ORG>; Thu, 17 Aug 2000 09:14:59 -0700 (PDT)
Received: (qmail 26150 invoked from network); 17 Aug 2000 16:14:54 -0000
Received: from unknown (HELO john) (24.96.19.19)
  by digitalinet.com with SMTP; 17 Aug 2000 16:14:54 -0000
Message-ID: <000b01c00866$5ca6de20$03030303@john>
From: "John" <john@digitalinet.com>
To: "Nate Williams" <nate@yogotech.com>,
	"Warner Losh" <imp@village.org>
Cc: "Mike Silbersack" <silby@silby.com>,
	"David May" <David_May@allsolutions.com.au>,
	<freebsd-security@FreeBSD.ORG>
References: <Pine.BSF.4.21.0008161825580.14500-100000@achilles.silby.com><200008170516.XAA09705@harmony.village.org> <200008171558.JAA23163@nomad.yogotech.com>
Subject: Re: [Q] why does my firewall degrade Web performance? 
Date: Thu, 17 Aug 2000 12:15:27 -0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I recommend making sure the nic's on the machine are performing fine.
I also recommend you benchmark your webserver from inside the firewall then
from outside.
If you can't figure anything out I recommend you try using ipfilter instead
of ipfw.

Thanks,
John (Digitalinet Noc Engenier)
"Want a free domain? Visit: www.digitalinet.com"
----- Original Message -----
From: "Nate Williams" <nate@yogotech.com>
To: "Warner Losh" <imp@village.org>
Cc: "Mike Silbersack" <silby@silby.com>; "David May"
<David_May@allsolutions.com.au>; <freebsd-security@FreeBSD.ORG>
Sent: Thursday, August 17, 2000 11:58 AM
Subject: Re: [Q] why does my firewall degrade Web performance?


> > : > The firewall machine CPU load is always light. It is a Pentium II
Celeron
> > : > 300MHz, 64Mb RAM, four Ethernet cards (3 D-Link 10/100, 1 NE2000),
> > : > and around 180 ipfw rules.
> > :
> > : I'm not sure how fast/slow ipfw is, but 180 rules sounds like a
> > : LOT.  Could you get by with a few less?  (Or at least try the setup
with
> > : no rules and the firewall box just runningas a pure router.)
> >
> > 180 is about normal for having multiple cards.  300MHz should be
> > plenty fast enough.
>
> No kidding.  I have 133 on my firewall, and it's a 486/66, and it keeps
> up *just fine* running with a 100MB ethernet connected to a T1.
>
> I've never seen the box under any load average, and it's been on the net
> since '93.  We used a 486 for firewall in commercial products (and
> would continue to do so except that you can't find them anymore).
>
>
>
> Nate
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message