Optimizing ipfw?

Tim Daneliuk tundra at tundraware.com
Sat Nov 23 16:23:15 UTC 2019

I have a boundary/gateway FreeBSD 11 machine running mostly as a NATing
firewall.  The machine is very lightly loaded and has no memory pressure
to speak of.

Recently, I tried going from about 2800 ipfw rules to over 34,000 to block
a number of nations completely.   This works, but is just DESTROYS my
network throughput - It reduces it from around 175Mb/sec to 20 Mb/sec.

Cables, switches, NICs etc. have been removed as suspects and falling back
to either an open firewall or reduced ruleset firewall restores performance.

So... is this a machine sizing problem - would a faster CPU help (this is
an older 3.2Ghz quad core i5) or is it just the nature of a software
firewall and I am exceeding its reasonable throughput?

i.e., Is there ipfw tuning to be done or have I just hit the limits
      of the model and need to consider a hardware firewall?

P.S.  The rules in question are thousands of statements like:

       ipfw  add deny all from some-IP-or-CIDR-block to any via NIC

More information about the freebsd-questions mailing list