Hi, as our network grows the requirements to our firewall system grow as well. At the moment we run a 4 NIC firewall (SW 3.0.7) with DMZ, DHCP student notebook lan, static IP, VPN, transparent http proxy and more. The system is RHEL4, Dual Xenon 3.2 GHz, 2 GB RAM, Hardwareraid. Everything is running fine so far but from time to time I think about: "Is there a way to optimize the config, the rules and how to get more performance out of the system." Is there a general way how to write the rule file? E.g. should the most used rules like "all our lans -> net http" or "all -> dmz http & smtp/imap/pop3" be the first rules? How to monitor, which rules are "used" most? Are there other experiences, tricks and tips, ideas, etc? Regards Götz -- Götz Reinicke IT Koordinator - IT OfficeNet Tel. +49 (0) 7141 - 969 420 Fax +49 (0) 7141 - 969 55 420 goetz.reinicke@filmakademie.de Filmakademie Baden-Württemberg Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de
Götz Reinicke wrote:> > Is there a general way how to write the rule file? E.g. should the most > used rules like "all our lans -> net http" or "all -> dmz http & > smtp/imap/pop3" be the first rules?Yes.> > How to monitor, which rules are "used" most?Use the "shorewall show" command. For example, to show net->dmz rules: gateway:~ # shorewall show net2dmz Shorewall-3.2.0-RC1 Chains net2dmz at gateway - Wed Jun 7 07:21:17 PDT 2006 Counters reset Sat Jun 3 16:41:24 PDT 2006 Chain net2dmz (1 references) pkts bytes target prot opt in out source destination 9234 515K @net2dmz tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 9560 535K dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 13212 937K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 5371 311K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 465,80,21,993,53,443 2853 149K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 ctorigdst 206.124.146.177 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 ctorigdst 206.124.146.178 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:33434:33454 715 40812 Mirrors tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:873 27 1520 %Limit tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:33434:33524 217 52150 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 467 33691 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 212 18056 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2dmz:DROP:'' 212 18056 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 gateway:~ # The first column shows the number of times that the rule has matched. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Götz Reinicke
2006-Jun-08 06:43 UTC
Re: Best way to optimize rule file and for performance
Tom - as usual: Thanks for the fast an usefull help! /Götz Tom Eastep schrieb:> Götz Reinicke wrote: > >> Is there a general way how to write the rule file? E.g. should the most >> used rules like "all our lans -> net http" or "all -> dmz http & >> smtp/imap/pop3" be the first rules? > > Yes. > >> How to monitor, which rules are "used" most? > > Use the "shorewall show" command. > > For example, to show net->dmz rules: > > gateway:~ # shorewall show net2dmz > Shorewall-3.2.0-RC1 Chains net2dmz at gateway - Wed Jun 7 07:21:17 PDT 2006 > > Counters reset Sat Jun 3 16:41:24 PDT 2006 > > Chain net2dmz (1 references) > pkts bytes target prot opt in out source destination > 9234 515K @net2dmz tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 > 9560 535K dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 > 13212 937K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 > 5371 311K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 465,80,21,993,53,443 > 2853 149K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 ctorigdst 206.124.146.177 > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 ctorigdst 206.124.146.178 > 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:33434:33454 > 715 40812 Mirrors tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:873 > 27 1520 %Limit tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 > 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:33434:33524 > 217 52150 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 > 467 33691 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 > 212 18056 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix > `Shorewall:net2dmz:DROP:'' > 212 18056 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > gateway:~ # > > The first column shows the number of times that the rule has matched. > > -Tom > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-- Götz Reinicke IT Koordinator - IT OfficeNet Tel. +49 (0) 7141 - 969 420 Fax +49 (0) 7141 - 969 55 420 goetz.reinicke@filmakademie.de Filmakademie Baden-Württemberg Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de