The machines aren't connected to a Telstra-supplied media converter are they? Telstra probably recently changed something, as we ran into significant problems of a similar nature yesterday, and had to fiddle with the duplexing... Erin Salmon Managing Director Unleash Technology Solutions Phone: +64 3 365 1273 Mobile: +64 275 877 913 -----Original Message----- From: Jasper Bryant-Greene [mailto:jasper(a)digiweb.net.nz] Sent: Friday, 19 January 2007 12:31 p.m. To: nznog(a)list.waikato.ac.nz Subject: [nznog] Shocking iptables performance We currently have a pair of Linux iptables firewall boxes that are being replaced in a month's time with a pair of Cisco ASA firewalls. Recently during testing we noticed transfer rates through the Ciscos (attached to the same Cisco routers on the other side) is over 30x faster than through the iptables firewalls. I know that iptables isn't hugely fast, there's a reason you pay for Ciscos etc etc, but the resources I have read usually indicate that iptables slowness is related to massive rulesets. We have 2415 rules, which I don't consider to be *that* many... The boxes aren't heavily loaded (about 10% system, 90% idle), and have plenty of free memory. They aren't swapping. I've tested turning off logging, which had virtually no effect. Anybody encountered anything similar? Is it likely to simply be related to the number of rules? Cheers Jasper -- _________________________________________ http://www.digiweb.co.nz Webhosting, Dedicated Servers, E-commerce Phone: (64 3) 351 6713 Fax: (64 3) 351 6705 Free: 0800 DIGIWEB (0800 344-493) Email: jasper(a)digiweb.co.nz PLEASE NOTE: The information contained in this email message and any attached files may be confidential and subject to privilege. The views expressed may not necessarily be the official view of Digiweb New Zealand Limited. All technical advice and opinions are offered on a 'no-liability' basis. If you are not the intended recipient, you are notified that any use, disclosure or copying of this email is unauthorised. If you have received this email in error, please notify us immediately by reply email and delete the original. Thank you. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.13/634 - Release Date: 17/01/2007 4:45 p.m. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.13/634 - Release Date: 17/01/2007 4:45 p.m.