On Thu, Jan 16, 2003 at 03:17:44PM -0800, Josh Brooks mooed:
Currently, I run a FreeBSD firewall running ipfw (500 mhz celeron, 256 mags ram). This machine does nothing - runs no services but ssh, and simply sits at my network border doing packet filtering. I have a lot of hosts (four /24s - about 500 active IPs) behind this firewall, and
The problem I am running into is simply that my firewall CPU chokes. It is not because the traffic is high - the line does not become saturdated, and sometimes total traffic can be less than 5 megabits/s - BUT the packets/s count goes way up (sometimes by a factor of 50) and because all
a) Shorten your rules. :-) b) Have you tried ipfw2, or upgraded to 5.0-DR3? (ipfw2 has some known bugs in 4.7-release, but I think it's happy in stable. test, though) c) Have you tried using polling mode for your ethernet device drivers? (options DEVICE_POLLLING, options HZ=1000) Can improve forwarding performance under heavy load/small packets, e.g. a DoS attack
So my questions are as follows:
1. Am I wasting my time trying to make my FreeBSD+ipfw firewall more resilient and sophisticated ? Again, I have probably only scratched the surface, but let's say I emerge from my office 12 months from now having memorized the ipfw source code and having learned _everything_ there is to learn about this problem - will I simply conclude that FreeBSD+ipfw is not good enough and I just need to go get an appliance ?
Not for 12Kpps. For some really sick rate, you might have to go with an (expensive!) appliance. But for what you're seeing, it should be quite feasible to handle with a host. Other questions to check on: What ethernet device are you using? If it's not de or fxp, you're shooting yourself in the foot. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me.