Date: Fri, 18 Aug 2000 12:32:44 -0400 (EDT) From: Jim Sander <jim@federation.addy.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: [Q] why does my firewall degrade Web performance? Message-ID: <Pine.BSF.4.10.10008181211590.3414-100000@federation.addy.com> In-Reply-To: <Pine.BSF.4.10.10008180932120.25370-100000@bsdie.rwsystems.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Personally, I think we're straying a bit from 'security' - but it's close enough that I guess I can chime in with something that may help improve someone's "gut feel" sense. (which is why I liked reading the other messages in this thread- thanks all) We run a firewall with about 3000 rules- used mainly for bandwidth tracking purposes. The highest load average I ever see is about .1 (when the bandwidth tracking scripts update our database) but the telling numbers are this line from "top" but also available in other utilities like iostat, etc. > CPU states: 0.0% user, 0.0% nice, 0.0% system, 40.5% interrupt, 59.5%idle The interrupt load on that machine is about 10 or 20 times higher than on any of the machines behind the wall. (which of course makes perfect sense) The hardware is a 400MHz Celeron- slowest thing we could find at the time, 64MB RAM, 100MB NIC, connected to a dual T1 through an etinc interface. (in other words it's a router-firewall in one box) The software is FreeBSD 3.3R and ipfw. I've never had trouble with slow browsing from the outside, even during heavy use periods. (although to be honest we've never fully maxxed our connection out) YMMV, but I'd say that the problems described would be a duplex-mismatch or other oddball thing. Firwalling just isn't that hard on the CPU, a Cisco 2500 is like a 68030- right? Anyway, hope this helps a little. -=Jim=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10008181211590.3414-100000>