More ipchains rules degrades network performance?
Steve Snyder
rules increases?
I've been told not, but I don't see how that could be possible.
Surely it takes longer to compare a given packet against, say, 30
rules that it does with a 10-rule ruleset.
I've read the ipchains doc, but it doesn't say much about the effect
on networking performance. Is there some doc on how rules should be
ordered to minimize the delay of passing packets through a network?
Thank you.
***** Steve Snyder *****
William Watson
:-) I have a couple hundred rules (between 4 chains) and have not
noticed any significant slowdowns. Of course, my SDSL connection is
only 192k - if you're firewalling between two gigabit ethernet cards you
might run into problems. Otherwise, on any reasonably fast computer, I
suspect the CPU time involved to traverse the rule chains is irrelevant.
About the only thing you can do is to put the most exercised rules
first. E.g., if you spent most of your time surfing, then put the rules
for port 80 near the top of the rules.
- bill
bi...@thekid.com
Jens Hektor
Steve Snyder wrote:
> Is network communication latency increased as the number of ipchains
> rules increases?
>
> I've been told not, but I don't see how that could be possible.
> Surely it takes longer to compare a given packet against, say, 30
> rules that it does with a 10-rule ruleset.
>
> I've read the ipchains doc, but it doesn't say much about the effect
> on networking performance. Is there some doc on how rules should be
> ordered to minimize the delay of passing packets through a network?
I have some practical experiences with about 10 linux-fw's and about
200 rules in each of three chains
Short summary is:
486 50-100 Mhz with 10Mbit/s-ISA-NICs peak perf. 200 kB/s *
586 90+ MHz with 10MBit/s-PCI-NICs peak perf. 600 kB/s
PII 400 MHz with 100MBit/s-PCI-NICs peak perf. 6000 kB/s
* if you start firewalling on the 486, the peak perfomance drops to the
given value, on the other machines not drop in performance was seen.
Bye, Jens
--
Jens Hektor, RWTH Aachen, Rechenzentrum, Seffenter Weg 23, 52074 Aachen
Computing Center Technical University Aachen, firewalls/network security
mailto:hek...@RZ.RWTH-Aachen.DE, Tel.: +49 241 80-4866
Private: Rochusstr. 26, D52062 Aachen, Fon: +49 241 29888, Fax: % 29889
Kenneth Crudup
"Steve Snyder" <swsn...@home.com> says:
>I've been told not, but I don't see how that could be possible.
I'm sure they do; that's why I put the high-probability-of-being-matched
stuff up at the very tops of my input chain.
-Kenny
--
Kenneth R. Crudup Sr. SW Engineer, Scott County Consulting, Washington, D.C.
Home1: 8051 Newell St. #914 Silver Spring, MD 20910-0914 (301) 562-1922
Home2: 38010 Village Cmn. #217 Fremont, CA 94536-7525 (510) 745-8181
Work: 19420 Homestead Road Cupertino, CA 95014-0606 (408) 447-6654
Dale Pontius
William Watson <bi...@thekid.com> writes:
>
> About the only thing you can do is to put the most exercised rules
> first. E.g., if you spent most of your time surfing, then put the rules
> for port 80 near the top of the rules.
>
rules into a tree. I've done a little of this, by forking my ICMP
rules into a separate chain, with "-j DENY" at its end. When I get
a round tuit I'm thinking of splitting TCP and UDP the same way.
They don't necessarily have to be in separate scripts, for instance
all the DNS rules can be kept together, just call out different
chains for the TCP and UDP sides.
Of course if I wait long enough to do this, 2.4 will be out with
netfilters, and there will be a different optimization.
Dale Pontius
NOT speaking for IBM