From owner-freebsd-security  Fri Aug 18  9:48:55 2000
Delivered-To: freebsd-security@freebsd.org
Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6])
	by hub.freebsd.org (Postfix) with ESMTP id 1BC0037B42C
	for <freebsd-security@FreeBSD.ORG>; Fri, 18 Aug 2000 09:48:53 -0700 (PDT)
Received: by jade.chc-chimes.com (Postfix, from userid 1001)
	id 14CF71C64; Fri, 18 Aug 2000 12:48:40 -0400 (EDT)
Date: Fri, 18 Aug 2000 12:48:40 -0400
From: Bill Fumerola <billf@chimesnet.com>
To: Jim Sander <jim@federation.addy.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: [Q] why does my firewall degrade Web performance?
Message-ID: <20000818124839.R65562@jade.chc-chimes.com>
References: <Pine.BSF.4.10.10008180932120.25370-100000@bsdie.rwsystems.net> <Pine.BSF.4.10.10008181211590.3414-100000@federation.addy.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.BSF.4.10.10008181211590.3414-100000@federation.addy.com>; from jim@federation.addy.com on Fri, Aug 18, 2000 at 12:32:44PM -0400
X-Operating-System: FreeBSD 3.3-STABLE i386
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Aug 18, 2000 at 12:32:44PM -0400, Jim Sander wrote:

>    We run a firewall with about 3000 rules- used mainly for bandwidth
> tracking purposes. The highest load average I ever see is about .1 (when
> the bandwidth tracking scripts update our database) but the telling
> numbers are this line from "top" but also available in other utilities
> like iostat, etc.
> 
> > CPU states: 0.0% user, 0.0% nice, 0.0% system, 40.5% interrupt, 59.5%idle
> 
>    The interrupt load on that machine is about 10 or 20 times higher than
> on any of the machines behind the wall. (which of course makes perfect
> sense) The hardware is a 400MHz Celeron- slowest thing we could find at
> the time, 64MB RAM, 100MB NIC, connected to a dual T1 through an etinc
> interface. (in other words it's a router-firewall in one box) The software
> is FreeBSD 3.3R and ipfw.
> 
>    I've never had trouble with slow browsing from the outside, even during
> heavy use periods. (although to be honest we've never fully maxxed our
> connection out) YMMV, but I'd say that the problems described would be a
> duplex-mismatch or other oddball thing. Firwalling just isn't that hard on
> the CPU, a Cisco 2500 is like a 68030- right?

ipfw with that many rules _is_ slow and will eat interrupt CPU as you see there.

you might want to consolidate your rules, unless you're using skipto.

-- 
Bill Fumerola - Network Architect, BOFH / Chimes, Inc.
                billf@chimesnet.com / billf@FreeBSD.org





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message