From owner-freebsd-security  Thu Aug 17  9:17:47 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66])
	by hub.freebsd.org (Postfix) with ESMTP id 3BE8037B7F1
	for <freebsd-security@FreeBSD.ORG>; Thu, 17 Aug 2000 09:17:38 -0700 (PDT)
Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131])
	by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id KAA16189;
	Thu, 17 Aug 2000 10:17:07 -0600 (MDT)
	(envelope-from nate@nomad.yogotech.com)
Received: (from nate@localhost)
	by nomad.yogotech.com (8.8.8/8.8.8) id KAA23260;
	Thu, 17 Aug 2000 10:16:15 -0600 (MDT)
	(envelope-from nate)
Date: Thu, 17 Aug 2000 10:16:15 -0600 (MDT)
Message-Id: <200008171616.KAA23260@nomad.yogotech.com>
From: Nate Williams <nate@yogotech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: "John" <john@digitalinet.com>
Cc: "Nate Williams" <nate@yogotech.com>,
	"Warner Losh" <imp@village.org>, "Mike Silbersack" <silby@silby.com>,
	"David May" <David_May@allsolutions.com.au>,
	<freebsd-security@FreeBSD.ORG>
Subject: Re: [Q] why does my firewall degrade Web performance? 
In-Reply-To: <000b01c00866$5ca6de20$03030303@john>
References: <Pine.BSF.4.21.0008161825580.14500-100000@achilles.silby.com>
	<200008170516.XAA09705@harmony.village.org>
	<200008171558.JAA23163@nomad.yogotech.com>
	<000b01c00866$5ca6de20$03030303@john>
X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid
Reply-To: nate@yogotech.com (Nate Williams)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> I recommend making sure the nic's on the machine are performing fine.

For what it's worth, I'm using one of the *really* crappy cards (3c509)
on my 486/66, and it's still working fine.

IPFW is a *very* effecient packet filtering implementation, so either
the firewall rules are implemented poorly (you can optimize them rather
easily by doing fast-path guesses), or something else is wrong.

> I also recommend you benchmark your webserver from inside the firewall then
> from outside.
> If you can't figure anything out I recommend you try using ipfilter instead
> of ipfw.

ipfilter is much more resource hungry than ipfw.


Nate


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message