Firewall Performance Question.

Darcy Buskermolen darcy at wavefire.com
Thu Jun 19 14:44:00 PDT 2003 

You could try organizing your rules using skipto to redice the number of 
rukles any packet has to travers for example...

100 skipto 1000 ip from 1.0.0.0/4 to my-ip
200 skipto 2000 ip from 128.0.0.0/4 to my ip

1000 deny ip from 24.6.76.8 to any
1001 deny ip from 65.65.26.7 to any
1999 skipto 3000 ip from any to any

2000 deny ip from 192.168.0.1 to any
2001 deny ip from 243.74.87.32 to any
2999 skipto 3000 ip form any to any

3000 allow ip form any to any

This would in effect redduce the number of rules any packet was traversing by 
50%

I hope this gets your mind thinking...


On Thursday 19 June 2003 14:08, Tom Daly wrote:
> Hi,
>
> On Thu, 19 Jun 2003, Michael Sierchio wrote:
> > Tom Daly wrote:
> > > I am currently running a Dell Poweredge 350 with FreeBSD 4.7 as a
> > > network firewall for one of our sites. This site sees about 3 megabits
> > > of traffic.
> >
> > per some unit of time, I presume? ;-)  maybe 3Mbit/s?
>
> Yes, 3Mbits/s.
>
> > > The average firewall ruleset runs around 600-800 rules, running on
> > > IPFW.
> >
> > That's a huge number of rules -- do you have any idea what number
> > of packets are checked against how many rules before being accepted
> > or denied?  A histogram would be nice....
>
> Most of these rules are a simple "ipfw deny all from x.x.x.x to any."
> Could some sort of source route to a null interface be better?
>
> > > Could this be a direct cause of why my system's interrupt usage is over
> > > 50% at many times, as well as sending ICMP source quenchs from time to
> > > time?
> > >
> > > Can anyone suggest a performance tweak to help this box along?
> >
> > Without seeing the ruleset, I'd venture a guess that IPFW2 would
> > help reduce the number of rules, and that a clever refactoring
> > (with poss. use of skipto rules) might reduce the load.
>
> The base ruleset is about 160 rules. The box can handle this with minimal
> CPU load. The additional 500 rules, similar to the one above are the
> problem.
>
> Suggestions?
>
> Tom
>
> > --
> >
> > "Well," Brahma said, "even after ten thousand explanations, a fool is no
> >   wiser, but an intelligent man requires only two thousand five hundred."
> >                  - The Mahabharata
> >
> > _______________________________________________
> > freebsd-net at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-net
> > To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

-- 
Darcy Buskermolen
Wavefire Technologies Corp.
ph: 250.717.0200
fx:  250.763.1759
http://www.wavefire.com

More information about the freebsd-net mailing list