Date: Wed, 7 Aug 2002 14:03:22 -0700 (PDT) From: Patrick Thomas <root@utility.clubscholarship.com> To: <freebsd-questions@freebsd.org> Subject: need tunings for a loaded freeBSD firewall Message-ID: <20020807135406.O28830-100000@utility.clubscholarship.com>
next in thread | raw e-mail | index | archive | help
Hello,
My firewall is:
CPU: Pentium III/Pentium III Xeon/Celeron (631.29-MHz 686-class CPU)
and it is running 4.4-RELEASE. I have made no special tunings to this
system other than rebuilding the kernel with superfluous things like USB
and PCMCIA removed.
The firewall has two interfaces and handles about 2megabits/second of
traffic on average. Recently, for reasons I cannot discern, it is choking
on traffic. Most ftp transfers run at 5-8 Kb/s (as opposed to 300-500 K)
and pings with large packet sizes drop a lot of packets.
Small (normal) pings and general interactive response seem to be ok, but
again, file transfers are horrible, and pings with large sizes drop a lot
of packets.
When I first noticed the problem, I had roughly 400 ipfw rules loaded
(almost all of them "count" rules for different IPs) and when I ran
netstat -m, it told me 75% of mb_map in use
Now I have rebooted the firewall, and only a small number of ipfw rules
are in place, and immediately after booting, it says 51% of mb_map in use.
BUT, at no time were any requests for memory denied, or delayed, and there
have been no protocol drain routines called for. This is what netstat -m
looks like about 10 mins after booting:
# netstat -m
360/624/2304 mbufs in use (current/peak/max):
360 mbufs allocated to data
244/370/576 mbuf clusters in use (current/peak/max)
896 Kbytes allocated to network (51% of mb_map in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines
So .... any suggestions ? What are the general tunings that should be
done to a simple FreeBSD firewall (again, I have done nothing but remove
things like USB from the kernel)
Also, do the problems I describe seem consistent with the netstat -m I
have pasted here ?
Any help/comments appreciated.
--pt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020807135406.O28830-100000>