Thanks to everyone for their fast replies. The firewalls are Pentium 4 2.8GHz boxes, only 256MB of RAM, but they're not swapping. We're getting about 256Kbit/s absolute maximum through these boxes, whereas on the Ciscos we can sustain 8-10Mbit/s no problem in some tests, and burst much higher. There are RELATED, ESTABLISHED rules around, but one important thing I seem to have neglected to mention is that these are managed by Shorewall, so I have only indirect control over the rules. The connection state tracking rules aren't quite as close to the start of the tables as I would like, but I'm not sure if I can control this easily with Shorewall... Jasper (looking forward to a beer after all this) John @ netTRUST wrote:
Considering that the vast majority of non-Cisco commercial firewalls are based on some version of IP Tables, I don't think that is where your problem is.
You haven't provided much information- 1. What is your hardware? 2. What sort of speed are you aiming for? 3. Which Linux kernel are you using?
We currently have a pair of Linux iptables firewall boxes that are being replaced in a month's time with a pair of Cisco ASA firewalls.
Recently during testing we noticed transfer rates through the Ciscos (attached to the same Cisco routers on the other side) is over 30x faster than through the iptables firewalls.
I know that iptables isn't hugely fast, there's a reason you pay for Ciscos etc etc, but the resources I have read usually indicate that iptables slowness is related to massive rulesets. We have 2415 rules, which I don't consider to be *that* many...
The boxes aren't heavily loaded (about 10% system, 90% idle), and have plenty of free memory. They aren't swapping. I've tested turning off logging, which had virtually no effect.
Anybody encountered anything similar? Is it likely to simply be related to the number of rules?
Cheers Jasper
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
-- Jasper Bryant-Greene Director Album Limited jasper(a)albumltd.co.nz +64 21 708 334 / 0800 425 286 http://www.albumltd.co.nz/