tundra at tundraware.com
Sat Nov 23 16:23:15 UTC 2019
I have a boundary/gateway FreeBSD 11 machine running mostly as a NATing
firewall. The machine is very lightly loaded and has no memory pressure
to speak of.
Recently, I tried going from about 2800 ipfw rules to over 34,000 to block
a number of nations completely. This works, but is just DESTROYS my
network throughput - It reduces it from around 175Mb/sec to 20 Mb/sec.
Cables, switches, NICs etc. have been removed as suspects and falling back
to either an open firewall or reduced ruleset firewall restores performance.
So... is this a machine sizing problem - would a faster CPU help (this is
an older 3.2Ghz quad core i5) or is it just the nature of a software
firewall and I am exceeding its reasonable throughput?
i.e., Is there ipfw tuning to be done or have I just hit the limits
of the model and need to consider a hardware firewall?
P.S. The rules in question are thousands of statements like:
ipfw add deny all from some-IP-or-CIDR-block to any via NIC
More information about the freebsd-questions