From owner-freebsd-questions@freebsd.org Sat Nov 23 17:46:58 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4D3601BB078 for ; Sat, 23 Nov 2019 17:46:58 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47L12T2rwzz4JZ3 for ; Sat, 23 Nov 2019 17:46:57 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: by mail-qk1-x729.google.com with SMTP id i3so9157755qkk.9 for ; Sat, 23 Nov 2019 09:46:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenebras-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=agG7SB3sRcvPgwA8bfPvePOS9pHOMS1q1azLV+2pwQA=; b=t2PPJ32gQmLkugve094VDONGMhodNKSFIAl/FO6izfVZ1gynvGsES6MjdJ2HSygRoF 0G4YJaXB/JWcU+V4djGAUsLeJhPflS8z8ZT9CWpmWhf4PMjwJMAa4H/YmPJEfQwRdO1Q VN2nzSKoigEoF1tbQpwPBMDBhnJ9vwMkptNHtSVAnv0h8T95IimJ9j5qIw1M1ItLB4LH EOu3uWKC5oRNeNlxzfXm+zePR1B7X0ZOJiuEF/yjKv95Kvixw0bCcoB1tJKBgjw91ZHP epHoAR0etvxjwAN8qVNNykiwy/N2JyTA/Jcx/Ox02wB0M3cOi92Uk4CYUYc68QvXaw2O c5Aw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=agG7SB3sRcvPgwA8bfPvePOS9pHOMS1q1azLV+2pwQA=; b=thblDaPWoCBAeI0VWqKrJxo4t/ZWcJm0R16/4DBg86aH2QyT1C328lWepgeIhHbduP /MgEJzAFM26JQeU4TNcdvWzu0UhyOjXzDkwCAkcYLT5O25iGgzDFVxdnyL5xwxMRCBmR L6fqww27mlcI/1je8dguARN4XUlvkJl/GdbF+G8kdTv6d4nlbfAi3wUQV/Y4NdTkz+Yc CDuNVq9n+Kzq8x24wgBTUhMiyWMOGWacq+jWvLzb5nlP4/OEigmCY+mL81rs/vzOKXDe BljzoZC53K/NQoEG6uuv5HHccCKAzWVrY6MRxPBcA1XjsYgNvXCl+GrqwOoXlQmZ5P1m J16Q== X-Gm-Message-State: APjAAAUDbv2swlY3Se2Mt92ElN80EyInIHOxGobk8qjvhO0cm+bfwys2 LXug0iWz13lnJC87FSUjPK4jA9V3ytN7VrcZgpKwlg== X-Google-Smtp-Source: APXvYqwaVIJjvSxz2pLJyp1lOtXM1ubxfhL5zF7vObigAusaKfycHoc2vL5guErgcpur7Vx8/si6ypotkIfMJsMiTMI= X-Received: by 2002:a37:6c04:: with SMTP id h4mr18910364qkc.399.1574531215713; Sat, 23 Nov 2019 09:46:55 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Michael Sierchio Date: Sat, 23 Nov 2019 09:46:19 -0800 Message-ID: Subject: Re: Optimizing ipfw? To: Tim Daneliuk Cc: FreeBSD Mailing List X-Rspamd-Queue-Id: 47L12T2rwzz4JZ3 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tenebras-com.20150623.gappssmtp.com header.s=20150623 header.b=t2PPJ32g; dmarc=none; spf=none (mx1.freebsd.org: domain of kudzu@tenebras.com has no SPF policy when checking 2607:f8b0:4864:20::729) smtp.mailfrom=kudzu@tenebras.com X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[tenebras-com.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; IP_SCORE(-2.70)[ip: (-9.21), ipnet: 2607:f8b0::/32(-2.28), asn: 15169(-1.96), country: US(-0.05)]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; DMARC_NA(0.00)[tenebras.com]; URI_COUNT_ODD(1.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[tenebras-com.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[9.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Nov 2019 17:46:58 -0000 Don't use specific rules per CIDR block, use tables. You can efficiently handle hundreds of thousands of CIDR blocks and IPv6 prefixes in a single table, or multiple tables. You can assign the argument based on country code or some such. You can add and delete CIDR blocks, and even swap tables so you can do it atomically. On Sat, Nov 23, 2019 at 8:23 AM Tim Daneliuk wrote: > I have a boundary/gateway FreeBSD 11 machine running mostly as a NATing > firewall. The machine is very lightly loaded and has no memory pressure > to speak of. > > Recently, I tried going from about 2800 ipfw rules to over 34,000 to bloc= k > a number of nations completely. This works, but is just DESTROYS my > network throughput - It reduces it from around 175Mb/sec to 20 Mb/sec. > > Cables, switches, NICs etc. have been removed as suspects and falling bac= k > to either an open firewall or reduced ruleset firewall restores > performance. > > So... is this a machine sizing problem - would a faster CPU help (this is > an older 3.2Ghz quad core i5) or is it just the nature of a software > firewall and I am exceeding its reasonable throughput? > > i.e., Is there ipfw tuning to be done or have I just hit the limits > of the model and need to consider a hardware firewall? > > P.S. The rules in question are thousands of statements like: > > ipfw add deny all from some-IP-or-CIDR-block to any via NIC > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata