Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls
David G. Andersen
dga at lcs.mit.edu
Fri Jan 17 05:29:21 UTC 2003
On Thu, Jan 16, 2003 at 03:17:44PM -0800, Josh Brooks mooed:
>
> Currently, I run a FreeBSD firewall running ipfw (500 mhz celeron, 256
> mags ram). This machine does nothing - runs no services but ssh, and
> simply sits at my network border doing packet filtering. I have a lot of
> hosts (four /24s - about 500 active IPs) behind this firewall, and
>
> The problem I am running into is simply that my firewall CPU chokes. It
> is not because the traffic is high - the line does not become saturdated,
> and sometimes total traffic can be less than 5 megabits/s - BUT the
> packets/s count goes way up (sometimes by a factor of 50) and because all
a) Shorten your rules. :-)
b) Have you tried ipfw2, or upgraded to 5.0-DR3?
(ipfw2 has some known bugs in 4.7-release, but I think it's
happy in stable. test, though)
c) Have you tried using polling mode for your ethernet device drivers?
(options DEVICE_POLLLING, options HZ=1000)
Can improve forwarding performance under heavy load/small packets,
e.g. a DoS attack
> So my questions are as follows:
>
> 1. Am I wasting my time trying to make my FreeBSD+ipfw firewall more
> resilient and sophisticated ? Again, I have probably only scratched the
> surface, but let's say I emerge from my office 12 months from now having
> memorized the ipfw source code and having learned _everything_ there is to
> learn about this problem - will I simply conclude that FreeBSD+ipfw is not
> good enough and I just need to go get an appliance ?
Not for 12Kpps. For some really sick rate, you might have to
go with an (expensive!) appliance. But for what you're seeing, it should
be quite feasible to handle with a host.
Other questions to check on: What ethernet device are you using?
If it's not de or fxp, you're shooting yourself in the foot.
-Dave
--
work: dga at lcs.mit.edu me: dga at pobox.com
MIT Laboratory for Computer Science http://www.angio.net/
I do not accept unsolicited commercial email. Do not spam me.
More information about the NANOG
mailing list