Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 23 Nov 2019 09:46:19 -0800
From:      Michael Sierchio <kudzu@tenebras.com>
To:        Tim Daneliuk <tundra@tundraware.com>
Cc:        FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: Optimizing ipfw?
Message-ID:  <CAHu1Y726%2BWLu9E=504QjiV2mfhYnSeRZwEU8wFvrF88ziATdSA@mail.gmail.com>
In-Reply-To: <ac88a9fd-b3e4-a7f2-6f05-bf00df8f9626@tundraware.com>
References:  <ac88a9fd-b3e4-a7f2-6f05-bf00df8f9626@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Don't use specific rules per CIDR block, use tables.  You can efficiently
handle hundreds of thousands of CIDR blocks and IPv6 prefixes in a single
table, or multiple tables.  You can assign the argument based on country
code or some such. You can add and delete CIDR blocks, and even swap tables
so you can do it atomically.



On Sat, Nov 23, 2019 at 8:23 AM Tim Daneliuk <tundra@tundraware.com> wrote:

> I have a boundary/gateway FreeBSD 11 machine running mostly as a NATing
> firewall.  The machine is very lightly loaded and has no memory pressure
> to speak of.
>
> Recently, I tried going from about 2800 ipfw rules to over 34,000 to bloc=
k
> a number of nations completely.   This works, but is just DESTROYS my
> network throughput - It reduces it from around 175Mb/sec to 20 Mb/sec.
>
> Cables, switches, NICs etc. have been removed as suspects and falling bac=
k
> to either an open firewall or reduced ruleset firewall restores
> performance.
>
> So... is this a machine sizing problem - would a faster CPU help (this is
> an older 3.2Ghz quad core i5) or is it just the nature of a software
> firewall and I am exceeding its reasonable throughput?
>
> i.e., Is there ipfw tuning to be done or have I just hit the limits
>       of the model and need to consider a hardware firewall?
>
> P.S.  The rules in question are thousands of statements like:
>
>        ipfw  add deny all from some-IP-or-CIDR-block to any via NIC
>
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe@freebsd.org"
>


--=20

"Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is =
no
wiser, but an intelligent person requires only two thousand five hundred."

- The Mah=C4=81bh=C4=81rata

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y726%2BWLu9E=504QjiV2mfhYnSeRZwEU8wFvrF88ziATdSA>