From owner-freebsd-questions Wed Aug 7 14: 3:58 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D70037B400 for ; Wed, 7 Aug 2002 14:03:55 -0700 (PDT) Received: from utility.clubscholarship.com (utility.clubscholarship.com [198.78.70.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09EF543E6E for ; Wed, 7 Aug 2002 14:03:54 -0700 (PDT) (envelope-from root@utility.clubscholarship.com) Received: from localhost (root@localhost) by utility.clubscholarship.com (8.11.6/8.11.6) with ESMTP id g77L3Ma29201 for ; Wed, 7 Aug 2002 14:03:22 -0700 (PDT) (envelope-from root@utility.clubscholarship.com) Date: Wed, 7 Aug 2002 14:03:22 -0700 (PDT) From: Patrick Thomas To: Subject: need tunings for a loaded freeBSD firewall Message-ID: <20020807135406.O28830-100000@utility.clubscholarship.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, My firewall is: CPU: Pentium III/Pentium III Xeon/Celeron (631.29-MHz 686-class CPU) and it is running 4.4-RELEASE. I have made no special tunings to this system other than rebuilding the kernel with superfluous things like USB and PCMCIA removed. The firewall has two interfaces and handles about 2megabits/second of traffic on average. Recently, for reasons I cannot discern, it is choking on traffic. Most ftp transfers run at 5-8 Kb/s (as opposed to 300-500 K) and pings with large packet sizes drop a lot of packets. Small (normal) pings and general interactive response seem to be ok, but again, file transfers are horrible, and pings with large sizes drop a lot of packets. When I first noticed the problem, I had roughly 400 ipfw rules loaded (almost all of them "count" rules for different IPs) and when I ran netstat -m, it told me 75% of mb_map in use Now I have rebooted the firewall, and only a small number of ipfw rules are in place, and immediately after booting, it says 51% of mb_map in use. BUT, at no time were any requests for memory denied, or delayed, and there have been no protocol drain routines called for. This is what netstat -m looks like about 10 mins after booting: # netstat -m 360/624/2304 mbufs in use (current/peak/max): 360 mbufs allocated to data 244/370/576 mbuf clusters in use (current/peak/max) 896 Kbytes allocated to network (51% of mb_map in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines So .... any suggestions ? What are the general tunings that should be done to a simple FreeBSD firewall (again, I have done nothing but remove things like USB from the kernel) Also, do the problems I describe seem consistent with the netstat -m I have pasted here ? Any help/comments appreciated. --pt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message