From owner-freebsd-questions@freebsd.org Sat Nov 23 16:47:09 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 060871B9B2A for ; Sat, 23 Nov 2019 16:47:09 +0000 (UTC) (envelope-from vit@otcnet.ru) Received: from mail.otcnet.ru (mail.otcnet.ru [194.190.78.3]) by mx1.freebsd.org (Postfix) with ESMTP id 47KzjR3FNBz4FhS for ; Sat, 23 Nov 2019 16:47:07 +0000 (UTC) (envelope-from vit@otcnet.ru) Received: from MacBook-Gamov.local (unknown [195.91.148.145]) by mail.otcnet.ru (Postfix) with ESMTPSA id CE0B68B9DD for ; Sat, 23 Nov 2019 19:46:59 +0300 (MSK) Subject: Re: Optimizing ipfw? To: freebsd-questions@freebsd.org References: From: Victor Gamov Organization: OstankinoTelecom Message-ID: Date: Sat, 23 Nov 2019 19:46:59 +0300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 47KzjR3FNBz4FhS X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of vit@otcnet.ru designates 194.190.78.3 as permitted sender) smtp.mailfrom=vit@otcnet.ru X-Spamd-Result: default: False [-4.44 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+a:mail.otcnet.ru]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; HAS_ORG_HEADER(0.00)[]; MIME_TRACE(0.00)[0:+]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; DMARC_NA(0.00)[otcnet.ru]; IP_SCORE(-3.24)[ip: (-8.54), ipnet: 194.190.78.0/24(-4.27), asn: 50822(-3.41), country: RU(0.01)]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:50822, ipnet:194.190.78.0/24, country:RU]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Nov 2019 16:47:09 -0000 Hi Tim You need to use table like this: ===== table srcIP create type addr table srcIP add IP1/32 table srcIP add IP2/32 table srcIP add IP3/24 add 1500 deny ip from table(srcIP) to any in recv NIC ===== In a more complex case you can add tablearg and jump to rule marked by tablearg The main idea is to check as low rules as possible while packet processed by ipfw. On 23/11/2019 19:21, Tim Daneliuk wrote: > I have a boundary/gateway FreeBSD 11 machine running mostly as a NATing > firewall. The machine is very lightly loaded and has no memory pressure > to speak of. > > Recently, I tried going from about 2800 ipfw rules to over 34,000 to block > a number of nations completely. This works, but is just DESTROYS my > network throughput - It reduces it from around 175Mb/sec to 20 Mb/sec. > > Cables, switches, NICs etc. have been removed as suspects and falling back > to either an open firewall or reduced ruleset firewall restores performance. > > So... is this a machine sizing problem - would a faster CPU help (this is > an older 3.2Ghz quad core i5) or is it just the nature of a software > firewall and I am exceeding its reasonable throughput? > > i.e., Is there ipfw tuning to be done or have I just hit the limits > of the model and need to consider a hardware firewall? > > P.S. The rules in question are thousands of statements like: > > ipfw add deny all from some-IP-or-CIDR-block to any via NIC -- CU, Victor Gamov