Shorewall users - May 2003 -

I have a problem with my firewall, I have change teh rules :

firewall : 10.0.0.1
10.0.0.X ---> server web
213.30.138.X ---> external adress for the server web and ip alias of firewall


DNAT    loc             loc:10.0.0.X  tcp  80,21,23   - 213.30.138.X:10.0.0.1

the problem is that all the ip visitor is 10.0.0.1 and i can''t count
the number of visitor on my site. If i del this line in rules, the ip ogf the
visitor are the real ip and not the ip local of the firewall.

On Wed, 21 May 2003 12:15:22 +0200, Fabien - NCTEL <fabien@nctel.net> 
wrote:
> I have a problem with my firewall, I have change teh rules :
>
> firewall : 10.0.0.1
> 10.0.0.X ---> server web
> 213.30.138.X ---> external adress for the server web and ip alias of 
> firewall
>
>
> DNAT    loc             loc:10.0.0.X  tcp  80,21,23   - 
> 213.30.138.X:10.0.0.1
>
> the problem is that all the ip visitor is 10.0.0.1 and i can''t
count the
> number of visitor on my site. If i del this line in rules, the ip ogf the 
> visitor are the real ip and not the ip local of the firewall.
Then set up separate DNS for internal users -- either a separate server or 
use Bind 9 views. As I''ve already told you, this is a consequence of
trying
to use an IP solution for something that is better solved in another way.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

tip:
pdnsd works nice for caching and resolving hosts in your /etc/hosts as
well.

PDNSD: http://home.t-online.de/home/Moestl/

On Wed, 21 May 2003 06:24:07 -0700
Tom Eastep <teastep@shorewall.net> opened up to us and said:
> On Wed, 21 May 2003 12:15:22 +0200, Fabien - NCTEL <fabien@nctel.net>
> wrote:
> 
> > I have a problem with my firewall, I have change teh rules :
> >
> > firewall : 10.0.0.1
> > 10.0.0.X ---> server web
> > 213.30.138.X ---> external adress for the server web and ip alias
of
> > 
> > firewall
> >
> >
> > DNAT    loc             loc:10.0.0.X  tcp  80,21,23   - 
> > 213.30.138.X:10.0.0.1
> >
> > the problem is that all the ip visitor is 10.0.0.1 and i
can''t count
> > the number of visitor on my site. If i del this line in rules, the
> > ip ogf the visitor are the real ip and not the ip local of the
> > firewall.
> 
> Then set up separate DNS for internal users -- either a separate
> server or use Bind 9 views. As I''ve already told you, this is a
> consequence of trying to use an IP solution for something that is
> better solved in another way.
> 
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

-- 
Paul Slinski
System Administrator
Global IQX
http://www.globaliqx.com/
pauls@globaliqx.com

[ The information transmitted is intended only for the addressee   ]
[ and may contain confidential, proprietary and/or privileged      ]
[ material.  Any unauthorized review, distribution or other use    ]
[ of or the taking of any action in reliance upon this information ]
[ is prohibited. If you received this in error, please contact the ]
[ sender and delete or destroy this message and any copies.        ]

On Wed, 21 May 2003 15:24:18 +0200, Fabien - NCTEL <fabien@nctel.net> 
wrote:
> OK but bind is very hard to configure
>
Well, you can always configure host files on each internal system -
that''s
easy but a PITA to keep updated.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

I''m working with him on pdnsd right now ;-) It''ll serve
hostnames from
/etc/hosts and he wont have to fight with Bind.

-P

On Wed, 21 May 2003 06:34:22 -0700
Tom Eastep <teastep@shorewall.net> opened up to us and said:
> On Wed, 21 May 2003 15:24:18 +0200, Fabien - NCTEL <fabien@nctel.net>
> wrote:
> 
> > OK but bind is very hard to configure
> >
> 
> Well, you can always configure host files on each internal system -
> that''s easy but a PITA to keep updated.
> 
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

-- 
Paul Slinski
System Administrator
Global IQX
http://www.globaliqx.com/
pauls@globaliqx.com

[ The information transmitted is intended only for the addressee   ]
[ and may contain confidential, proprietary and/or privileged      ]
[ material.  Any unauthorized review, distribution or other use    ]
[ of or the taking of any action in reliance upon this information ]
[ is prohibited. If you received this in error, please contact the ]
[ sender and delete or destroy this message and any copies.        ]

He''s all fixed up Tom.

-Paul

On Wed, 21 May 2003 06:34:22 -0700
Tom Eastep <teastep@shorewall.net> opened up to us and said:
> On Wed, 21 May 2003 15:24:18 +0200, Fabien - NCTEL <fabien@nctel.net>
> wrote:
> 
> > OK but bind is very hard to configure
> >
> 
> Well, you can always configure host files on each internal system -
> that''s easy but a PITA to keep updated.
> 
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

-- 
Paul Slinski
System Administrator
Global IQX
http://www.globaliqx.com/
pauls@globaliqx.com

[ The information transmitted is intended only for the addressee   ]
[ and may contain confidential, proprietary and/or privileged      ]
[ material.  Any unauthorized review, distribution or other use    ]
[ of or the taking of any action in reliance upon this information ]
[ is prohibited. If you received this in error, please contact the ]
[ sender and delete or destroy this message and any copies.        ]

On Wed, 21 May 2003 12:29:35 -0400, Paul Slinski <pauls@globaliqx.com> 
wrote:
> He''s all fixed up Tom.
>
Thanks, Paul. Would you be willing to write up what you told him so that we 
can offer it as an alternative to the (gag) IP solution to FAQ #2?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Hi all,

	quite new as a shorewall user, I have a few questions :

	-> how much concurent request shall shorewall be able to handle 
	on a PIII 500Mhz with 256 Mo RAM on a 3 interface configuration 
	with about 50 rules ? (roughly ...)	
	-> how to have /proc/sys/net/ipv4/ip_conntrack_max set to a high
	value each reboot (sorry not that much shorewall related)
	-> If i am right it is possible to have NAT applied on all interfaces ...
	Is is possible to do the same with masquerading ?

	I am trying to build a firewall that as to handle as much as 32 Mbits 
	of outgoing traffic.
	When I plug my shorewall box (mandrake MNF 8.2) the web sites behind it
	seem so slow ... and caould not find why.
	Cpu is between 15 and 35 and no more than 50Mo of RAM is beeing used.
	I eliminated the first bottle neck with ip_conntrack size set to 65535
	but the firewall is still to slow ...

	Any ideas ?

BTW :
Thank for all Tom.
Your work is outstandig.
If you need any help ...

Nicolas Helleringer
Wanadoo Maps
47 rue de Charonne
75011 Paris
T?l : +33 1 48 07 58 55

Nicolas Helleringer schrieb:
> 
> Hi all,
> 
>         quite new as a shorewall user, I have a few questions :
> 
>         -> how much concurent request shall shorewall be able to handle
>         on a PIII 500Mhz with 256 Mo RAM on a 3 interface configuration
>         with about 50 rules ? (roughly ...)
>         -> how to have /proc/sys/net/ipv4/ip_conntrack_max set to a high
>         value each reboot (sorry not that much shorewall related)
in file /etc/sysctl.conf

net.ipv4.ip_conntrack_max = xxx
>         -> If i am right it is possible to have NAT applied on all
interfaces ...
>         Is is possible to do the same with masquerading ?
> 
>         I am trying to build a firewall that as to handle as much as 32
Mbits
>         of outgoing traffic.
>         When I plug my shorewall box (mandrake MNF 8.2) the web sites
behind it
>         seem so slow ... and caould not find why.
>         Cpu is between 15 and 35 and no more than 50Mo of RAM is beeing
used.
>         I eliminated the first bottle neck with ip_conntrack size set to
65535
>         but the firewall is still to slow ...
> 
>         Any ideas ?
> 
> BTW :
> Thank for all Tom.
> Your work is outstandig.
> If you need any help ...
> 
> Nicolas Helleringer
> Wanadoo Maps
> 47 rue de Charonne
> 75011 Paris
> T?l : +33 1 48 07 58 55
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

Well I''ll tell you....where I work, we threw in a shorewall firewall to
help us fix a routing problem this past February as a temporary fix(which
is still in place).  It runs on an Acer PC that is a 500Mhz celeron with
256MB of ram.  It handles over 10gigs of traffic every few days.  So
I''d
say a 500Mhz P3 will do just find.


 09:49:17 up 116 days, 23:26,  2 users,  load average: 0.08, 0.02, 0.01   
                                           31 processes: 30 sleeping, 1
running, 0 zombie, 0 stopped
CPU states:   0.3% user,   1.8% system,   0.0% nice,  97.9% idle
Mem:    248580K total,   237776K used,    10804K free,    72336K buffers
Swap:  2097136K total,     1596K used,  2095540K free,   108232K cached

> Hi all,
>
> 	quite new as a shorewall user, I have a few questions :
>
> 	-> how much concurent request shall shorewall be able to handle
> 	on a PIII 500Mhz with 256 Mo RAM on a 3 interface configuration
> 	with about 50 rules ? (roughly ...)
> 	-> how to have /proc/sys/net/ipv4/ip_conntrack_max set to a high
> 	value each reboot (sorry not that much shorewall related)
> 	-> If i am right it is possible to have NAT applied on all interfaces
> ... Is is possible to do the same with masquerading ?
>
> 	I am trying to build a firewall that as to handle as much as 32 Mbits
> of outgoing traffic.
> 	When I plug my shorewall box (mandrake MNF 8.2) the web sites behind it
> seem so slow ... and caould not find why.
> 	Cpu is between 15 and 35 and no more than 50Mo of RAM is beeing used. I
> eliminated the first bottle neck with ip_conntrack size set to 65535
> but the firewall is still to slow ...
>
> 	Any ideas ?
>
> BTW :
> Thank for all Tom.
> Your work is outstandig.
> If you need any help ...
>
> Nicolas Helleringer
> Wanadoo Maps
> 47 rue de Charonne
> 75011 Paris
> T?l : +33 1 48 07 58 55
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> http://lists.shorewall.net/mailman/listinfo/shorewall-users Support:
> http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

-- 
Joe

***
I can only please one person a day.
Today is not your day and tomorrow doesn''t look good either.
***

On Tue, 27 May 2003 12:11:58 +0200, Nicolas Helleringer 
<nicolas.helleringer@wanadoomaps.com> wrote:
> Hi all,
>
> 	quite new as a shorewall user, I have a few questions :
>
> 	-> how much concurent request shall shorewall be able to handle 	on a 
> PIII 500Mhz with 256 Mo RAM on a 3 interface configuration 	with about 50 
> rules ? (roughly ...)	
None -- Shorewall doesn''t handle requests. Shorewall is a tool for 
configuring Netfilter, the packet filtering engine in the 2.4 kernels. It 
is netfilter that does the packet filtering. I recommend that you look at 
the list archives at http://www.netfilter.org - variations on this question 
get asked a lot.
> 	-> how to have /proc/sys/net/ipv4/ip_conntrack_max set to a high
> 	value each reboot (sorry not that much shorewall related)
Your distribution should have a means for doing that. On RedHat, it is 
/etc/sysctl.conf.
> 	-> If i am right it is possible to have NAT applied on all interfaces 
> ...
Yes, but you usually don''t want to use that option.
> 	Is is possible to do the same with masquerading ?
You can set up masquerading for traffic from multiple internal interfaces, 
yes.
>
> 	I am trying to build a firewall that as to handle as much as 32 Mbits 
> 	of outgoing traffic.
> 	When I plug my shorewall box (mandrake MNF 8.2) the web sites behind it
> 	seem so slow ... and caould not find why.
> 	Cpu is between 15 and 35 and no more than 50Mo of RAM is beeing used.
> 	I eliminated the first bottle neck with ip_conntrack size set to 65535
> 	but the firewall is still to slow ...
>
> 	Any ideas ?
Again, check the netfilter list archives -- this question also come up 
frequently.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Well I don''t think so 

	I have to handle 32Mbit/sec => 32*60(sec)*60(min)*10(open hour a day)/8(to
MBytes)/1024(to GBytes) => 140 GB per day (or 1125 Gbits a day)

	so it seems I am a little away from your traffic ...
	:)

	I have search the netfilters doc and it seems that 16000 ip_conntrack_max is
the max for a 256 MB system
	can someone confirm this ?

	Thanks

Nicolas Helleringer
Wanadoo Maps
47 rue de Charonne
75011 Paris
France
T?l : +33 1 48 07 58 55

-----Message d''origine-----
De : Joe Gofton [mailto:jgofton@danicar.net] 
Envoy? : mardi 27 mai 2003 14:53
? : Nicolas Helleringer
Cc : shorewall-users@lists.shorewall.net
Objet : Re: [Shorewall-users]


Well I''ll tell you....where I work, we threw in a shorewall firewall to
help us fix a routing problem this past February as a temporary fix(which is
still in place).  It runs on an Acer PC that is a 500Mhz celeron with 256MB of
ram.  It handles over 10gigs of traffic every few days.  So I''d say a
500Mhz P3 will do just find.


 09:49:17 up 116 days, 23:26,  2 users,  load average: 0.08, 0.02, 0.01   
                                           31 processes: 30 sleeping, 1 running,
0 zombie, 0 stopped
CPU states:   0.3% user,   1.8% system,   0.0% nice,  97.9% idle
Mem:    248580K total,   237776K used,    10804K free,    72336K buffers
Swap:  2097136K total,     1596K used,  2095540K free,   108232K cached

> Hi all,
>
> 	quite new as a shorewall user, I have a few questions :
>
> 	-> how much concurent request shall shorewall be able to handle
> 	on a PIII 500Mhz with 256 Mo RAM on a 3 interface configuration
> 	with about 50 rules ? (roughly ...)
> 	-> how to have /proc/sys/net/ipv4/ip_conntrack_max set to a high
> 	value each reboot (sorry not that much shorewall related)
> 	-> If i am right it is possible to have NAT applied on all interfaces 
> ... Is is possible to do the same with masquerading ?
>
> 	I am trying to build a firewall that as to handle as much as 32 Mbits 
> of outgoing traffic.
> 	When I plug my shorewall box (mandrake MNF 8.2) the web sites behind 
> it seem so slow ... and caould not find why.
> 	Cpu is between 15 and 35 and no more than 50Mo of RAM is beeing used. 
> I eliminated the first bottle neck with ip_conntrack size set to 65535 
> but the firewall is still to slow ...
>
> 	Any ideas ?
>
> BTW :
> Thank for all Tom.
> Your work is outstandig.
> If you need any help ...
>
> Nicolas Helleringer
> Wanadoo Maps
> 47 rue de Charonne
> 75011 Paris
> T?l : +33 1 48 07 58 55
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: 
> http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

-- 
Joe

***
I can only please one person a day.
Today is not your day and tomorrow doesn''t look good either.
***

On Tue, 27 May 2003 15:02:27 +0200, Nicolas Helleringer 
<nicolas.helleringer@wanadoomaps.com> wrote:
> Well I don''t think so
>
> 	I have to handle 32Mbit/sec => 32*60(sec)*60(min)*10(open hour a day) 
> /8(to MBytes)/1024(to GBytes) => 140 GB per day (or 1125 Gbits a day)
>
> 	so it seems I am a little away from your traffic ...
> 	:)
>
> 	I have search the netfilters doc and it seems that 16000 
> ip_conntrack_max is the max for a 256 MB system
> 	can someone confirm this ?
Again, I think you would be well advised to ask these questions on the 
Netfilter list --

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net