Date: Sat, 23 Nov 2019 10:21:43 -0600 From: Tim Daneliuk <tundra@tundraware.com> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Optimizing ipfw? Message-ID: <ac88a9fd-b3e4-a7f2-6f05-bf00df8f9626@tundraware.com>
next in thread | raw e-mail | index | archive | help
I have a boundary/gateway FreeBSD 11 machine running mostly as a NATing
firewall. The machine is very lightly loaded and has no memory pressure
to speak of.
Recently, I tried going from about 2800 ipfw rules to over 34,000 to block
a number of nations completely. This works, but is just DESTROYS my
network throughput - It reduces it from around 175Mb/sec to 20 Mb/sec.
Cables, switches, NICs etc. have been removed as suspects and falling back
to either an open firewall or reduced ruleset firewall restores performance.
So... is this a machine sizing problem - would a faster CPU help (this is
an older 3.2Ghz quad core i5) or is it just the nature of a software
firewall and I am exceeding its reasonable throughput?
i.e., Is there ipfw tuning to be done or have I just hit the limits
of the model and need to consider a hardware firewall?
P.S. The rules in question are thousands of statements like:
ipfw add deny all from some-IP-or-CIDR-block to any via NIC
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ac88a9fd-b3e4-a7f2-6f05-bf00df8f9626>