How to optimize ruleset for gateway?
Vladimir Kapustin
msgs_for_me at mail.ru
Wed Feb 14 15:36:29 UTC 2007
Hi, all!
I have such a problem when configuring the gateway for my LAN:
I want to minimize the number of rules, and for this purpose I chose PF,
but, as I wrote earlyer:
http://lists.freebsd.org/pipermail/freebsd-pf/2007-January/002958.html
and found some mails of other people:
http://lists.freebsd.org/pipermail/freebsd-pf/2006-October/002681.html
if I want to configure connection speed for each user on PF, I must
configure the number of queues equal to the number of users, i.e. if I
configure one queue and allow the table of users go to the Internet through
this queue, I see, that all of them share the bandwidth of this queue.
I don't think this is a good idea, and now I choosing some other
variants of optimization, such as:
1. Configure PF for major rules and SPAM filtering and IPFW+DUMMYNET for
queueing. I've read somewhere, that IPFW-shaper supports tables the way I
need. I'm afraid that two firewalls should significantly decrease perfomance.
2. Configure only IPFW. But this means that I have to read full documentation
about it, and find the way to protect the Internet from SPAM going from my
local NET.
The ruleset looks like:
0. Binat for real IP.
1. Block NetBIOS
2. Pass all from table-1
3. Pass all from table-128kbps queue 1(128kbps)
4. .....................
5. Pass all from table-1024kbps queue 4(1024kbps)
6. Some spam-protection tool (like spamd)
7. Block all
Could somebody give me some advice what way to go?
P.S. Now my gateway works on 2-processor Xeon router with Redhat and iptables.
It has 100 Mbps Internet channel, and in the time of maximum charge it
processes 10-20 kpps.
More information about the freebsd-net
mailing list