You could try organizing your rules using skipto to redice the number of rukles any packet has to travers for example...
100 skipto 1000 ip from 1.0.0.0/4 to my-ip 200 skipto 2000 ip from 128.0.0.0/4 to my ip 1000 deny ip from 24.6.76.8 to any 1001 deny ip from 65.65.26.7 to any 1999 skipto 3000 ip from any to any 2000 deny ip from 192.168.0.1 to any 2001 deny ip from 243.74.87.32 to any 2999 skipto 3000 ip form any to any 3000 allow ip form any to any This would in effect redduce the number of rules any packet was traversing by 50% I hope this gets your mind thinking... On Thursday 19 June 2003 14:08, Tom Daly wrote: > Hi, > > On Thu, 19 Jun 2003, Michael Sierchio wrote: > > Tom Daly wrote: > > > I am currently running a Dell Poweredge 350 with FreeBSD 4.7 as a > > > network firewall for one of our sites. This site sees about 3 megabits > > > of traffic. > > > > per some unit of time, I presume? ;-) maybe 3Mbit/s? > > Yes, 3Mbits/s. > > > > The average firewall ruleset runs around 600-800 rules, running on > > > IPFW. > > > > That's a huge number of rules -- do you have any idea what number > > of packets are checked against how many rules before being accepted > > or denied? A histogram would be nice.... > > Most of these rules are a simple "ipfw deny all from x.x.x.x to any." > Could some sort of source route to a null interface be better? > > > > Could this be a direct cause of why my system's interrupt usage is over > > > 50% at many times, as well as sending ICMP source quenchs from time to > > > time? > > > > > > Can anyone suggest a performance tweak to help this box along? > > > > Without seeing the ruleset, I'd venture a guess that IPFW2 would > > help reduce the number of rules, and that a clever refactoring > > (with poss. use of skipto rules) might reduce the load. > > The base ruleset is about 160 rules. The box can handle this with minimal > CPU load. The additional 500 rules, similar to the one above are the > problem. > > Suggestions? > > Tom > > > -- > > > > "Well," Brahma said, "even after ten thousand explanations, a fool is no > > wiser, but an intelligent man requires only two thousand five hundred." > > - The Mahabharata > > > > _______________________________________________ > > [EMAIL PROTECTED] mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-net > > To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- Darcy Buskermolen Wavefire Technologies Corp. ph: 250.717.0200 fx: 250.763.1759 http://www.wavefire.com _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
