[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Firewall performance



On Fri, 21 Jan 2000, David Uhring wrote:
> 
> On Thu, 20 Jan 2000, Steve Roggenkamp wrote:
> > I installed OpenBSD on a 486 machine over the weekend and made an
> > attempt to create a firewall, but I encountered severe performance
> > difficulties.  It took hours to download a small amount of email.  I had
> > expected great performance, but I reinstalled Linux due to the poor
> > performance and lack of time to diagnose the problem without email
> > support.  If anyone could offer suggestions as to how to set up a
> > firewall with obsd I would appreciate it.  The specifics of my
> > installation:
> > 
> > 	Gateway 486DX2/66 28Mb RAM
> > 	Linksys Ethernet NE2000 cards with default IRQ & IO addresses
> > 		one going to a cable modem
> > 		the other going to a 10Mb/sec 10BaseT network
> > 	Generic 2.6 kernel from the distribution
> > 
> > I used the /usr/share/ipf/firewall.2 and /usr/share/ipf/nat.1 files with
> > minimal changes, mainly changing the addresses.
> > 
> > I had acceptable ftp performance from outside machines to the firewall,
> > but not across the firewall.  I was able to get data across the
> > firewall, but not very fast.  I figure it was something in my
> > configuration, but I could not diagnose where the problem occurred.
> > 
> > TIA,
> > Steve
> > 
> > -- 
> > -----
> > Steve Roggenkamp
> > InterNet:    roggenkamps@acm.org
> > WWW:         http://home.columbus.rr.com/roggenkamps/
> 
> My gateway/firewall box is IBM PC330-466DX2, 16M RAM - see dmesg output attach.  Connected to 3Com CMX Cable
> Modem via ne2k-pci NIC.  With a fast server I get 70K-90K Bytes/sec on ftp downloads.  Config files are attached.
> Even with the fastest and longest downloads, i.e. StarOffice 5.1a to my Solaris system, CPU idle hardly dropped below 76%.
> All the rest of the configuration follows OBSD FAQ's.
> 

----------------------------------------
Content-Type: text/x-c; name="dmesg"
Content-Transfer-Encoding: base64
Content-Description: 
----------------------------------------

----------------------------------------
Content-Type: text/english; name="ipf.rules"
Content-Transfer-Encoding: base64
Content-Description: 
----------------------------------------

----------------------------------------
Content-Type: text/plain; name="ipnat.rules"
Content-Transfer-Encoding: base64
Content-Description: 
----------------------------------------

I'm resending this because the SMTA reported errors on my first attempt.  Also, I'm enclosing my /etc/rc.conf
file.  You might have overlooked an option.  I just never have had any difficulty using OBSD as a gateway/
firewall.  Even with a 66MHz cpu in a $25.00 box, I just could not ask for better.  Besides, the firewall works.  I
recently had some script kiddie spend almost a month trying to get inside - with no success.  He finally ended
up throwing SYN floods at me while I was making ftp downloads. I eventually changed the NIC to another ne2k-
pci and power cycling the cable modem.  This gave me a new IP, which that turd hasn't found yet.  This cheapo
NIC also works just fine; after all, I'm only asking for less than 10% of its supposed speed.

rc.conf