[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptable rules and performance

On Fri, 21 Dec 2001, Jor-el wrote:
> I need to set up a firewall to allow to and fro udp traffic from 130
> distinct ip addresses to my server. Unfortunately, it is not possible
> to collapse the firewalling rules for these machines by specifying the
> udp port. 

...and you can't collapse the set of addresses into a series of network
ranges or relax the rules a fraction more by allowing all the hosts to
get to all the ports?

Granted this may not be perfect security, but it may be acceptable
depending on your threat model and trust relationships...

> My question has to do with the performance of the host under such
> conditions. I have an estimated traffic of .5 million packets coming
> into my server / day, and the firewall will have to sift through this
> traffic to filter through 130 ip addresses. 

That comes out as around 5.75 packets per second. I can't imagine that
you would find this over-taxing for any system. :)

It's worth noting that using iptables tends to mean that you take the
slow path with your packets as well as the cost of the firewalling but,
even so, it's not the global packet rate you need to worry about.

At least, not unless you plan on using a 486 or something to run the
system or your firewall is loaded heavily...

...but what about your burst rates? My math assumes that you are getting
packets evenly distributed. Are they really that well spread or do you
handle bursts of 10, 100, 1000, more?

That is when it /may/ start to be a problem, but one that's solved by
throwing more RAM at the machine so that it can buffer the packets
without dropping for the duration of the burst.

> Has anyone used iptables under these conditions? 

I can't say that I have actually seen a real-world situation with the
iptables tools but, seriously, it doesn't sound like a problem to me. :)

> Were there any observed problems with the firewall not being able to
> keep up with the traffic?
> Any alternative suggestions?

Do a bench test over your 100 mbit network. :)

The first atrocity, the first war crime committed in any war of
aggression by the aggressors is against the truth.
        -- Michael Parenti _Inventing Reality:  The Politics of News Media_

Reply to: