Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 09 Oct 2002 15:23:02 +1000
From:      Christopher Smith <csmith@its.uq.edu.au>
To:        Mike Silbersack <silby@silby.com>
Cc:        <hardware@freebsd.org>, <net@freebsd.org>
Subject:   Re: High interrupt load on firewalls
Message-ID:  <B9C9FA56.30E7C%csmith@its.uq.edu.au>
In-Reply-To: <20021009000519.J2019-100000@patrocles.silby.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 9/10/02 3:07 PM, "Mike Silbersack" <silby@silby.com> wrote:

> 
> 
> On Wed, 9 Oct 2002, Christopher Smith wrote:
> 
>> We have two firewalls sitting on gigabit links.  Each has 2 Netgear GA620
>> (ti driver) fibre cards with about 7 vlans spread across them.  Both these
>> machines run at *very* high interrupt loads (95 - 100% during business hours
>> (mostly 100%), 80 - 90 % during off hours).  They are 1GHz P3 machines (Dell
>> 1550s) with 256MB of RAM.  They're actually dual machines, but enabling the
>> second CPU doesn't help in terms of load, it just halves the numbers top
>> reports.
> 
> I'm not sure if system vs interrupt accounting is entirely accurate, so
> I'm going to postulate that the firewall itself could actually be the
> dominant consumer of CPU time.  Are you using ipfw?  If so, have you tried
> out Luigi's new IPFW2?  It was MFC'd to 4.6-stable, and is supposed to be
> more efficient.

No, we use IPFilter (and that definitely isn't going to change any time
soon).

The ruleset has about 1600 rules and does employ groups.  I am (slowly) in
the process of trimming some of the fat (though not primarily for
performance reasons, there's just crap in there that needs to be removed).

The rule processing can't be done on the other CPU, can it ?  Am I right in
saying that at this point in time, buying a dual CPU (vs single CPU) machine
for firewalling with FreeBSD is just a waste of money ?

-- 
+- Christopher Smith, Systems Administrator ------------------------------+
|  Server & Security Group, Information Technology Services               |
|  The University of Queensland, Brisbane, Australia, 4072                |
+- Ph +61 7 3365 4046 | email csmith@its.uq.edu.au | Fax +61 7 3365 4065 -+



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hardware" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B9C9FA56.30E7C%csmith>