hi there. There are approx. 400-500 users in our network and we plan to insert all their MAC addresses into maclist and bind them together with IP address. My question is whether shorewall is able to process that much of MAC addresses without slowing the the network speed performance? thanks for your time. __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/
Diamond King wrote:> hi there. There are approx. 400-500 users in our > network and we plan to insert all their MAC addresses > into maclist and bind them together with IP address. > My question is whether shorewall is able to process > that much of MAC addresses without slowing the the > network speed performance? thanks for your time.Shorewall only processes the MAC entries during "shorewall [re]start". After that, there is no Shorewall code running whatsoever (see http://shorewall.net/Introduction.html). So what you *really* want to know is if your firewall can pass outgoing connection requests through an average of 250 additional rules without adversely affecting performance. The answer to that is "probably yes" unless you are trying to run your firewall on underpowered hardware. I assume that you run name servers behind the firewall -- that helps limit the effect MAC verification since DNS name resolution tends to generate lots of connection requests. By placing the entries for your name servers at the front of the ''maclist'' file, you can virtually eliminate any effect. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Do you mean by building up a nameserver behind the firewall? As for hardware, it should be okay as we are running AMD athon XP with 1Gb of RAM. --- Tom Eastep <teastep@shorewall.net> wrote:> Diamond King wrote: > > hi there. There are approx. 400-500 users in our > > network and we plan to insert all their MAC > addresses > > into maclist and bind them together with IP > address. > > My question is whether shorewall is able to > process > > that much of MAC addresses without slowing the the > > network speed performance? thanks for your time. > > Shorewall only processes the MAC entries during > "shorewall [re]start". > After that, there is no Shorewall code running > whatsoever (see > http://shorewall.net/Introduction.html). So what you > *really* want to > know is if your firewall can pass outgoing > connection requests through > an average of 250 additional rules without adversely > affecting performance. > > The answer to that is "probably yes" unless you are > trying to run your > firewall on underpowered hardware. > > I assume that you run name servers behind the > firewall -- that helps > limit the effect MAC verification since DNS name > resolution tends to > generate lots of connection requests. By placing the > entries for your > name servers at the front of the ''maclist'' file, you > can virtually > eliminate any effect. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >__________________________________ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250
Diamond King wrote:> Do you mean by building up a nameserver behind the > firewall?Yes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Diamond King wrote: > >>Do you mean by building up a nameserver behind the >>firewall? > > > Yes.There is an alternative. If your kernel and iptables contain ''Recent Match'' support, then the ''firewall'' script in CVS (Shorewall2/) allows ''caching'' of recent maclist lookups in a ''recent'' table. You can determine if your iptables/kernel support this match type by: iptables -N foo iptables -A foo -m recent --update -j ACCEPT If the second command succeeds, you have ''recent match'' support. In shorewall.conf, you add a specification of the form: MACLIST_TTL=n then each IP address will only be checked at most once each ''n'' seconds. The way that it works is: 1) The source MAC/IP address is passed through the ''mac'' chain for the interface on which a new connection request arrives. 2) If a match is found, then the IP address is added to the ''recent'' table for that interface and the connection request is accepted. Recent tables are hashed and provide for rapid lookup. 3) Each new connection request from a ''maclist'' interface is first looked up in the interface''s recent table -- if a match is found and the entry is less than $MACLIST_TTL seconds old, then the connection request is accepted immediately. You must first upgrade to 2.2.2 if you are not running it already. Then download the ''firewall'' script from CVS and install it in /usr/share/shorewall/firewall replacing your current 2.2.2 script. Add a MACLIST_TTL entry in your /etc/shorewall/shorewall.conf and restart Shorewall (and "shorewall save" if you use fast restart). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key