Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls

David G. Andersen dga at lcs.mit.edu
Fri Jan 17 05:29:21 UTC 2003 

On Thu, Jan 16, 2003 at 03:17:44PM -0800, Josh Brooks mooed:
> 
> Currently, I run a FreeBSD firewall running ipfw (500 mhz celeron, 256
> mags ram).  This machine does nothing - runs no services but ssh, and
> simply sits at my network border doing packet filtering.  I have a lot of
> hosts (four /24s - about 500 active IPs) behind this firewall, and
> 
> The problem I am running into is simply that my firewall CPU chokes.  It
> is not because the traffic is high - the line does not become saturdated,
> and sometimes total traffic can be less than 5 megabits/s - BUT the
> packets/s count goes way up (sometimes by a factor of 50) and because all

  a)  Shorten your rules. :-)
  b)  Have you tried ipfw2, or upgraded to 5.0-DR3?
      (ipfw2 has some known bugs in 4.7-release, but I think it's
      happy in stable.  test, though)
  c)  Have you tried using polling mode for your ethernet device drivers?
      (options DEVICE_POLLLING, options HZ=1000)
      Can improve forwarding performance under heavy load/small packets,
      e.g. a DoS attack

        
> So my questions are as follows:
> 
> 1. Am I wasting my time trying to make my FreeBSD+ipfw firewall more
> resilient and sophisticated ?  Again, I have probably only scratched the
> surface, but let's say I emerge from my office 12 months from now having
> memorized the ipfw source code and having learned _everything_ there is to
> learn about this problem - will I simply conclude that FreeBSD+ipfw is not
> good enough and I just need to go get an appliance ?

  Not for 12Kpps.  For some really sick rate, you might have to
go with an (expensive!) appliance.  But for what you're seeing, it should
be quite feasible to handle with a host.

  Other questions to check on:  What ethernet device are you using?
If it's not de or fxp, you're shooting yourself in the foot.

  -Dave

-- 
work: dga at lcs.mit.edu                          me:  dga at pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/
      I do not accept unsolicited commercial email.  Do not spam me.

More information about the NANOG mailing list