From owner-freebsd-pf@FreeBSD.ORG Wed Feb 14 15:36:29 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C7D7F16A408; Wed, 14 Feb 2007 15:36:29 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from mx33.mail.ru (mx33.mail.ru [194.67.23.194]) by mx1.freebsd.org (Postfix) with ESMTP id 71D9013C48D; Wed, 14 Feb 2007 15:36:29 +0000 (UTC) (envelope-from msgs_for_me@mail.ru) Received: from [80.244.229.35] (port=7229 helo=VLADIMIR) by mx33.mail.ru with asmtp id 1HHMBG-000DLd-00; Wed, 14 Feb 2007 18:36:27 +0300 X-Nat-Received: from [192.168.1.110]:3843 [ident-empty] by smtp-proxy.vltele.com with TPROXY id 1171467214.12688 Date: Wed, 14 Feb 2007 18:36:25 +0300 From: Vladimir Kapustin X-Mailer: The Bat! (v3.85.03) Professional Organization: vltele.com X-Priority: 3 (Normal) Message-ID: <1024498861.20070214183625@mail.ru> To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-isp@FreeBSD.ORG, freebsd-net@freebsd.org, freebsd-performance@FreeBSD.ORG Subject: How to optimize ruleset for gateway? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vladimir Kapustin List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Feb 2007 15:36:29 -0000 Hi, all! I have such a problem when configuring the gateway for my LAN: I want to minimize the number of rules, and for this purpose I chose PF, but, as I wrote earlyer: http://lists.freebsd.org/pipermail/freebsd-pf/2007-January/002958.html and found some mails of other people: http://lists.freebsd.org/pipermail/freebsd-pf/2006-October/002681.html if I want to configure connection speed for each user on PF, I must configure the number of queues equal to the number of users, i.e. if I configure one queue and allow the table of users go to the Internet through this queue, I see, that all of them share the bandwidth of this queue. I don't think this is a good idea, and now I choosing some other variants of optimization, such as: 1. Configure PF for major rules and SPAM filtering and IPFW+DUMMYNET for queueing. I've read somewhere, that IPFW-shaper supports tables the way I need. I'm afraid that two firewalls should significantly decrease perfomance. 2. Configure only IPFW. But this means that I have to read full documentation about it, and find the way to protect the Internet from SPAM going from my local NET. The ruleset looks like: 0. Binat for real IP. 1. Block NetBIOS 2. Pass all from table-1 3. Pass all from table-128kbps queue 1(128kbps) 4. ..................... 5. Pass all from table-1024kbps queue 4(1024kbps) 6. Some spam-protection tool (like spamd) 7. Block all Could somebody give me some advice what way to go? P.S. Now my gateway works on 2-processor Xeon router with Redhat and iptables. It has 100 Mbps Internet channel, and in the time of maximum charge it processes 10-20 kpps.