[54797] in North American Network Operators' Group
Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls
daemon@ATHENA.MIT.EDU (David G. Andersen)
Fri Jan 17 00:32:19 2003
Date: Fri, 17 Jan 2003 00:29:21 -0500
From: "David G. Andersen" <dga@lcs.mit.edu>
To: Josh Brooks <user@mail.econolodgetulsa.com>
Cc: nanog@merit.edu
Mail-Followup-To: "David G. Andersen" <dga@lcs.mit.edu>,
Josh Brooks <user@mail.econolodgetulsa.com>, nanog@merit.edu
In-Reply-To: <20030116142026.H38599-100000@mail.econolodgetulsa.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, Jan 16, 2003 at 03:17:44PM -0800, Josh Brooks mooed:
>
> Currently, I run a FreeBSD firewall running ipfw (500 mhz celeron, 256
> mags ram). This machine does nothing - runs no services but ssh, and
> simply sits at my network border doing packet filtering. I have a lot of
> hosts (four /24s - about 500 active IPs) behind this firewall, and
>
> The problem I am running into is simply that my firewall CPU chokes. It
> is not because the traffic is high - the line does not become saturdated,
> and sometimes total traffic can be less than 5 megabits/s - BUT the
> packets/s count goes way up (sometimes by a factor of 50) and because all
a) Shorten your rules. :-)
b) Have you tried ipfw2, or upgraded to 5.0-DR3?
(ipfw2 has some known bugs in 4.7-release, but I think it's
happy in stable. test, though)
c) Have you tried using polling mode for your ethernet device drivers?
(options DEVICE_POLLLING, options HZ=1000)
Can improve forwarding performance under heavy load/small packets,
e.g. a DoS attack
> So my questions are as follows:
>
> 1. Am I wasting my time trying to make my FreeBSD+ipfw firewall more
> resilient and sophisticated ? Again, I have probably only scratched the
> surface, but let's say I emerge from my office 12 months from now having
> memorized the ipfw source code and having learned _everything_ there is to
> learn about this problem - will I simply conclude that FreeBSD+ipfw is not
> good enough and I just need to go get an appliance ?
Not for 12Kpps. For some really sick rate, you might have to
go with an (expensive!) appliance. But for what you're seeing, it should
be quite feasible to handle with a host.
Other questions to check on: What ethernet device are you using?
If it's not de or fxp, you're shooting yourself in the foot.
-Dave
--
work: dga@lcs.mit.edu me: dga@pobox.com
MIT Laboratory for Computer Science http://www.angio.net/
I do not accept unsolicited commercial email. Do not spam me.
