Re: iptable rules and performance

To: debian-firewall@lists.debian.org
Subject: Re: iptable rules and performance
From: Jor-el <jorel@trillian.megadodo.umb>
Date: Sat, 22 Dec 2001 09:12:35 -0600 (CST)
Message-id: <[🔎] Pine.LNX.3.96.1011222085302.7703A-100000@trillian>
Reply-to: jorel@austin.rr.com
In-reply-to: <[🔎] 87vgezpjzi.fsf@inanna.rimspace.net>

On Sat, 22 Dec 2001, Daniel Pittman wrote:

> On Fri, 21 Dec 2001, Jor-el wrote:
> 
> ...and you can't collapse the set of addresses into a series of network
> ranges or relax the rules a fraction more by allowing all the hosts to
> get to all the ports?

I looked at the range of ip-addresses and there may be a few cases where
the machines were clustered together in a contiguous ip range, and so I
could use a single rule to cluster together maybe 16 machines or so. But
thats only about 4 bits that dont need to be matched, so I'm not sure how
much the gain would be.

> 
> Granted this may not be perfect security, but it may be acceptable
> depending on your threat model and trust relationships...
> 
> > My question has to do with the performance of the host under such
> > conditions. I have an estimated traffic of .5 million packets coming
> > into my server / day, and the firewall will have to sift through this
> > traffic to filter through 130 ip addresses. 
> 
> That comes out as around 5.75 packets per second. I can't imagine that
> you would find this over-taxing for any system. :)
> 
You're right - I should have done this trivial calculation before emailing
my question. Actually, I would say that about .48 million packets arrive
within 8 hours. Thats .48 million inwards and .48 million outwards . The
packet rate then comes out to about 33 packets / sec . Still not worrisome
I think. However, I have noticed that I have a few dropped packets a week,
and this seems to indicate that perhaps the burst rates are high enough
that the NIC cant keep up with the traffic even without any firewalling...

> It's worth noting that using iptables tends to mean that you
take the
> slow path with your packets as well as the cost of the firewalling but,
> even so, it's not the global packet rate you need to worry about.
> 

I dont follow. What is the slow path and what is the fast path?

> At least, not unless you plan on using a 486 or something to run the
> system or your firewall is loaded heavily...
> 

Well, its a dual Pentium II 300 (not sure about the exact speed, and its
too much trouble to log on right now and find out for sure) with 256 MB
RAM. So you are right, it is probably a non-issue.

> 
> Do a bench test over your 100 mbit network. :)
>         Daniel
> 
	Good idea anyway. How does one do such things?

Thanks,
Jor-el

Reply to:

Follow-Ups:
- Re: iptable rules and performance
  - From: Daniel Pittman <daniel@rimspace.net>

References:
- Re: iptable rules and performance
  - From: Daniel Pittman <daniel@rimspace.net>

Prev by Date: Re: iptable rules and performance
Next by Date: Re: iptable rules and performance
Previous by thread: Re: iptable rules and performance
Next by thread: Re: iptable rules and performance
Index(es):
- Date
- Thread