Re: Firewall Performance Question.

Tom Daly Thu, 19 Jun 2003 23:39:33 -0700

Hi Mike,
Its looks like this will make a big difference to us. I will take a look
at setting up a test bed to get IPFW2 going.


Thanks to everyone,
Tom

On Thu, 19 Jun 2003, Michael Sierchio wrote:

> Tom Daly wrote:
>
> >>>The average firewall ruleset runs around 600-800 rules, running on IPFW.
> >>
> >>That's a huge number of rules -- do you have any idea what number
> >>of packets are checked against how many rules before being accepted
> >>or denied?  A histogram would be nice....
> >
> > Most of these rules are a simple "ipfw deny all from x.x.x.x to any."
> > Could some sort of source route to a null interface be better?
> >
> > The base ruleset is about 160 rules. The box can handle this with minimal
> > CPU load. The additional 500 rules, similar to the one above are the
> > problem.
>
> I'm of the opinion that 100 rules makes for a very large
> ruleset.
>
> > Suggestions?
>
> So, you're incurring a huge penalty for those packets that you
> allow in order to deny hosts/networks explicitly.  Why?  What
> percentage of packets are denied if you let them fall through to
> the bottom?
>
>
> Also, I strongly urge you to switch to IPFW2 -- in addition to
> using sets you can enable or disable atomically, or switch
> atomically, you can do things like:
>
> #!/bin/sh
>
> # fw rules
>
> bad_guys="{ \
>          61.11.0.0/19 or \
>          61.144.16.0/16 or \
>          61.72.248.192/26 or \
>          203.248.0.0/13 or \
>          210.72.224.0/24 or \
>          211.71.128.0/18 or \
>          211.104.0.0/13 or \
>          211.112.0.0/13 or \
>          211.194.117.160/27 or \
>          212.45.13.0/24 or \
>          217.80.0.0/13 or \
>          218.144.0.0/12 \
>
>       etc.
> }"
>
> # people we simply are not at home for
> ipfw add 00700 set 0 deny ip from $bad_guys to any in recv $oif
>
> # block those Microsoft protocols
> ipfw add 00900 set 0 deny ip from any to any 137-139,445,568-569,1433-1434,1512,2002 
> in recv $oif
>
> You get the idea -- it's not just the expressiveness of the
> notation, but the efficiency in matching packets that helps.
>
>
> _______________________________________________
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
>

-- 
Tom Daly
[EMAIL PROTECTED]
Chief Infrastructure Officer
Dynamic DNS Network Services
http://www.dyndns.org/

_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewall Performance Question.

Reply via email to