Hey all- Got a couple of questions for all you firewall wizards out there. I apologize if this isn''t Shorewall specific (all my firewalls run Shorewall), but this list is one of the best of its kind around... I am installing a high volume mail system in the next couple of weeks and would, of course, like to make sure that it is properly firewalled off. The issue is whether or not the box that I have tenatively picked for the firewall will be sufficient for the amount of traffic passing through it. I plan on the following: PIII 550E, 256MB RAM, running RH7.2, stock 2.4.17 kernel, 1 eepro100 and one 3c590 NIC. The firewall will sit on a 100mbit burstable connection and have three MTA''s and two webservers behind it. A VPN (FreeS/WAN) will connect my corporate office with the cluster for management purposes. Anticipated load will be in the 7-20mbit/sec (out) and 1-2 mbit/sec (in) range during production (business) hours. I currently have a similar firewall in front of my website, and it handles relatively low traffic (<2mbit/sec) but high connection rate (50-100 http requests/sec at peak times) without breaking a sweat. I am worried that 1) the new firewall isn''t robust enough to handle that throughput, 7+mbit/sec, from a memory/bus/CPU whatever stand point (not sure about the limiting factor here) and 2) that with a shedload of SMTP traffic, upwards of 45 SMTP connections/sec, that the firewall will very quickly run out of connection tracking table space... 256MB gives it a table size of 16,312 entries. So, first, is the hardware appropriate for the task at hand? I don''t have the budget, nor the desire to purchase a commercial firewall, but I have been know to employ throughly inappropriate hardware for certain tasks. And second, with SMTP connections being rather long lived, I am afraid that the firewall will quick consume all it''s table space... Can I safely raise this above the default without adding more memory? Is there a good rule of thumb for this? Or, is there a better configuration for this system? I.e. should I firewall the MTA''s individually and expose them instead of putting everything behind a firewall? Thanks again, Zack
Zack, I''m going to have to defer to people with more experience with high volume applications. You might also post on netfilter@lists.samba.org. -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of > Zachariah Mully > Sent: Wednesday, February 20, 2002 8:30 AM > To: Shorewall list > Subject: [Shorewall-users] throughput and ip_conntrack_max > > > I am installing a high volume mail system in the next > couple of weeks
Zack,=20 Zack, would be so kind as to post any responses you get off list to the shorewall list. I am currently running shorewall on a moderately busy connection (tracking ~400 connections at 8am) and have concerns of packets "leaking" through (I''m seeing outbound packets dropped on our internet firewall that should have never made it in). The machine is a RH 7.1 machine with iptables 1.2.1a-1 on a P3 733 with 256 MB Ram and 2 3c905 nic''s. Thanks, Jeff>>> Zachariah Mully <zmully@smartbrief.com> 02/20/02 09:30AM >>>Hey all- Got a couple of questions for all you firewall wizards out there. I apologize if this isn''t Shorewall specific (all my firewalls run Shorewall), but this list is one of the best of its kind around... I am installing a high volume mail system in the next couple of weeks and would, of course, like to make sure that it is properly firewalled off. The issue is whether or not the box that I have tenatively picked for the firewall will be sufficient for the amount of traffic passing through it. I plan on the following: PIII 550E, 256MB RAM, running RH7.2, stock 2.4.17 kernel, 1 eepro100 and one 3c590 NIC. The firewall will sit on a 100mbit burstable connection and have three MTA''s and two webservers behind it. A VPN (FreeS/WAN) will connect my corporate office with the cluster for management purposes. Anticipated load will be in the 7-20mbit/sec (out) and 1-2 mbit/sec (in) range during production (business) hours. I currently have a similar firewall in front of my website, and it handles relatively low traffic (<2mbit/sec) but high connection rate (50-100 http requests/sec at peak times) without breaking a sweat.=20 I am worried that 1) the new firewall isn''t robust enough to handle that throughput, 7+mbit/sec, from a memory/bus/CPU whatever stand point (not sure about the limiting factor here) and 2) that with a shedload of SMTP traffic, upwards of 45 SMTP connections/sec, that the firewall will very quickly run out of connection tracking table space... 256MB gives it a table size of 16,312 entries.=20 So, first, is the hardware appropriate for the task at hand? I don''t have the budget, nor the desire to purchase a commercial firewall, but I have been know to employ throughly inappropriate hardware for certain tasks. And second, with SMTP connections being rather long lived, I am afraid that the firewall will quick consume all it''s table space... Can I safely raise this above the default without adding more memory? Is there a good rule of thumb for this? Or, is there a better configuration for this system? I.e. should I firewall the MTA''s individually and expose them instead of putting everything behind a firewall? Thanks again, Zack=20 _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net=20 http://www.shorewall.net/mailman/listinfo/shorewall-users
Jeff, Please send me details about this "leakage". -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Jeff Falgout > Sent: Thursday, February 21, 2002 7:34 AM > To: shorewall-users@shorewall.net > Subject: Re: [Shorewall-users] throughput and ip_conntrack_max > > > Zack, > > Zack, would be so kind as to post any responses you get off > list to the shorewall list. > > I am currently running shorewall on a moderately busy > connection (tracking ~400 connections at 8am) and have > concerns of packets "leaking" through (I''m seeing outbound > packets dropped on our internet firewall that should have > never made it in). The machine is a RH 7.1 machine with > iptables 1.2.1a-1 on a P3 733 with 256 MB Ram and 2 3c905 nic''s. > > Thanks, > > Jeff > > >>> Zachariah Mully <zmully@smartbrief.com> 02/20/02 09:30AM >>> > Hey all- > Got a couple of questions for all you firewall wizards > out there. I > apologize if this isn''t Shorewall specific (all my firewalls run > Shorewall), but this list is one of the best of its kind around... > I am installing a high volume mail system in the next > couple of weeks > and would, of course, like to make sure that it is properly firewalled > off. The issue is whether or not the box that I have tenatively picked > for the firewall will be sufficient for the amount of traffic passing > through it. I plan on the following: PIII 550E, 256MB RAM, running > RH7.2, stock 2.4.17 kernel, 1 eepro100 and one 3c590 NIC. > The firewall will sit on a 100mbit burstable > connection and have three > MTA''s and two webservers behind it. A VPN (FreeS/WAN) will connect my > corporate office with the cluster for management purposes. Anticipated > load will be in the 7-20mbit/sec (out) and 1-2 mbit/sec (in) range > during production (business) hours. > I currently have a similar firewall in front of my > website, and it > handles relatively low traffic (<2mbit/sec) but high connection rate > (50-100 http requests/sec at peak times) without breaking a sweat. > I am worried that 1) the new firewall isn''t robust > enough to handle > that throughput, 7+mbit/sec, from a memory/bus/CPU whatever > stand point > (not sure about the limiting factor here) and 2) that with a > shedload of > SMTP traffic, upwards of 45 SMTP connections/sec, that the > firewall will > very quickly run out of connection tracking table space... 256MB gives > it a table size of 16,312 entries. > So, first, is the hardware appropriate for the task at > hand? I don''t > have the budget, nor the desire to purchase a commercial > firewall, but I > have been know to employ throughly inappropriate hardware for certain > tasks. And second, with SMTP connections being rather long lived, I am > afraid that the firewall will quick consume all it''s table > space... Can > I safely raise this above the default without adding more memory? Is > there a good rule of thumb for this? > Or, is there a better configuration for this system? > I.e. should I > firewall the MTA''s individually and expose them instead of putting > everything behind a firewall? > > Thanks again, > Zack > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
All, This seems to be a pretty common scenario involving high-traffic segments coupled with 3com nics. Swap the 3coms w/Intels and the problem mysteriously disappears. I think I would double the RAM and do without the 3c590 in the setup proposed below. Will probably work good that way, but monitor CPU and TOP for the first week or so to make sure. Paul -----Original Message----- From: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net]On Behalf Of Jeff Falgout Sent: Thursday, February 21, 2002 8:34 AM To: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] throughput and ip_conntrack_max Zack, Zack, would be so kind as to post any responses you get off list to the shorewall list. I am currently running shorewall on a moderately busy connection (tracking ~400 connections at 8am) and have concerns of packets "leaking" through (I''m seeing outbound packets dropped on our internet firewall that should have never made it in). The machine is a RH 7.1 machine with iptables 1.2.1a-1 on a P3 733 with 256 MB Ram and 2 3c905 nic''s. Thanks, Jeff>>> Zachariah Mully <zmully@smartbrief.com> 02/20/02 09:30AM >>>Hey all- Got a couple of questions for all you firewall wizards out there. I apologize if this isn''t Shorewall specific (all my firewalls run Shorewall), but this list is one of the best of its kind around... I am installing a high volume mail system in the next couple of weeks and would, of course, like to make sure that it is properly firewalled off. The issue is whether or not the box that I have tenatively picked for the firewall will be sufficient for the amount of traffic passing through it. I plan on the following: PIII 550E, 256MB RAM, running RH7.2, stock 2.4.17 kernel, 1 eepro100 and one 3c590 NIC. The firewall will sit on a 100mbit burstable connection and have three MTA''s and two webservers behind it. A VPN (FreeS/WAN) will connect my corporate office with the cluster for management purposes. Anticipated load will be in the 7-20mbit/sec (out) and 1-2 mbit/sec (in) range during production (business) hours. I currently have a similar firewall in front of my website, and it handles relatively low traffic (<2mbit/sec) but high connection rate (50-100 http requests/sec at peak times) without breaking a sweat. I am worried that 1) the new firewall isn''t robust enough to handle that throughput, 7+mbit/sec, from a memory/bus/CPU whatever stand point (not sure about the limiting factor here) and 2) that with a shedload of SMTP traffic, upwards of 45 SMTP connections/sec, that the firewall will very quickly run out of connection tracking table space... 256MB gives it a table size of 16,312 entries. So, first, is the hardware appropriate for the task at hand? I don''t have the budget, nor the desire to purchase a commercial firewall, but I have been know to employ throughly inappropriate hardware for certain tasks. And second, with SMTP connections being rather long lived, I am afraid that the firewall will quick consume all it''s table space... Can I safely raise this above the default without adding more memory? Is there a good rule of thumb for this? Or, is there a better configuration for this system? I.e. should I firewall the MTA''s individually and expose them instead of putting everything behind a firewall? Thanks again, Zack _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com