Date: Fri, 10 Feb 2006 15:22:41 -0500 From: Marcos Bedinelli <bedinelli@madhaus.cns.utoronto.ca> To: Julian Elischer <julian@elischer.org> Cc: freebsd-net@freebsd.org Subject: Re: Network performance in a dual CPU system Message-ID: <b9265a86721e4c9dec1e86423ebcd267@madhaus.cns.utoronto.ca> In-Reply-To: <43ECEF7C.2090101@elischer.org> References: <7bb8f24157080b6aaacb897a99259df9@madhaus.cns.utoronto.ca> <43ECB1E7.8010308@mac.com> <711b7ec873f31bc5be50ce477313fac3@madhaus.cns.utoronto.ca> <43ECEF7C.2090101@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Julian,
On 10-Feb-06, at 14:54, Julian Elischer wrote:
> I have found that most people can optimise there ipfw rulests
> considerably.
>
> for example: a first rule of:
> 1 allow ip from any to any in recv {inside interfacfe}
> 2 allow ip from any to any out xmit {inside interface}
> will cut your ipfw load by 50% immediatly.
> (you should only be filterring on one interface usually)
>
> use 'skipto' rules to immediatly send incoming and outgoing data to
> different rules sets.
>
> etc.
> (I you want to privatly send me your ruleset I can probably help you
> do this)
>
> julian
Thank you very much for your input and kind offer.
Not long ago I removed the entire ruleset on that machine and the
impact was minimal (i.e., CPU utilization was still above 98%).
Nevertheless, I am sure my ruleset can benefit from some polishing. I
would like to take the liberty of writing to you in the future to
exchange some ideas, provided you have no objections.
Thanks!
--
Marcos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b9265a86721e4c9dec1e86423ebcd267>