Shorewall users - Mar 2003 - how do I optimise configuration for better performance

Hi folks,

I recently updated to shorewall 1.4.1a an BTW I wonder how I can optimse 
the configuration for speed at startup and while running.

I have a basic three-interface firewall with a lot of rules, so my first 
two questions are:

- dose the order of the rules can influense the speed, e.g. if I have a 
lot of smtp traffic from/to the dmz should I put the corresponding rules 
at the top of the rules file. (I would expect yes, if there is a match, 
the other rules aren''t checked...or am I wrong?)

- is there a difference/(dis-)advantage to put multiple protocols/ports 
in one line, e.g.

ACCEPT  loc dmz  tcp  smtp,http,https,imap,imaps,pop3

or

ACCEPT  loc  dmz  tcp  smtp
ACCEPT  loc  dmz  tcp  http
ACCEPT  loc  dmz  tcp  https
ACCEPT  loc  dmz  tcp  imap
ACCEPT  loc  dmz  tcp  imaps
ACCEPT  loc  dmz  tcp  pop3

Are there beside some features I can use to do some optimising?

so long and thanks for all the fish

G?tz Reinicke

-- 
G?tz Reinicke
IT Koordinator - IT OfficeNet

Tel. +49 (0) 7141 - 969 420
Fax  +49 (0) 7141 - 969 55 420
goetz.reinicke@filmakademie.de

Filmakademie Baden-W?rttemberg
Mathildenstr. 20
71638 Ludwigsburg
www.filmakademie.de

On Mon, 24 Mar 2003, G?tz Reinicke wrote:
> Hi folks,
> 
> I recently updated to shorewall 1.4.1a an BTW I wonder how I can optimse 
> the configuration for speed at startup and while running.
> 
> I have a basic three-interface firewall with a lot of rules, so my first 
> two questions are:
> 
> - dose the order of the rules can influense the speed, e.g. if I have a 
> lot of smtp traffic from/to the dmz should I put the corresponding rules 
> at the top of the rules file. (I would expect yes, if there is a match, 
> the other rules aren''t checked...or am I wrong?)
>
You are wrong -- traffic involving the DMZ only goes through rules that 
involve the DMZ.
 
> - is there a difference/(dis-)advantage to put multiple protocols/ports 
> in one line, e.g.
> 
> ACCEPT  loc dmz  tcp  smtp,http,https,imap,imaps,pop3
> 
> or
> 
> ACCEPT  loc  dmz  tcp  smtp
> ACCEPT  loc  dmz  tcp  http
> ACCEPT  loc  dmz  tcp  https
> ACCEPT  loc  dmz  tcp  imap
> ACCEPT  loc  dmz  tcp  imaps
> ACCEPT  loc  dmz  tcp  pop3
> 
The former is faster provided that you have set MULTIPORT=Yes in 
shorwall.conf.
> Are there beside some features I can use to do some optimising?
You can order the rules within source/destination so that those rules that 
get the most traffic come first. Remember though that rules only are 
evaluated at connection time -- they are not involved once the connection 
is established.

The blacklists on the other hand are evaluated for every packet. Having 
very long black lists can definitely hurt performance.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

On Mon, 24 Mar 2003, G?tz Reinicke wrote:
> Tom Eastep wrote:
> > On Mon, 24 Mar 2003, G?tz Reinicke wrote:
> <...>
> > 
> > The former is faster provided that you have set MULTIPORT=Yes in 
> > shorwall.conf.
> > 
> 
> How can I find out, if my kernel supportes this feature?
> 
> Thanks.
> 
If your kernel has all of the netfilter code modularized, you can:

ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_multiport.o

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net