[unisog] IPTables as high banwidth firewall

Johan van Reijendam jvanreij at stanford.edu
Wed Aug 3 22:00:45 GMT 2005


First of all thank you for your replies so far.

In reply to the question of what my throughput would be. I would like to 
be able to put this firewall on a gigabit link. In many cases traffic 
will be VLAN tagged. The system will most likely not be used at wire 
speed but the closer I can get the better. Any tips, tweaks and 
suggestions welcome.

Most of the information that I have found so far is at least a couple 
years old and obtained running older linux versions (generally Redhat 
7.2 etc). Some of it from the LVS (Linux Virtual Server) project. From 
what I have been able to read so far there are a number of issues that 
need to be considered:

1. Being able to handle VLAN tags. Most interface cards do not support 
VLAN tags and will flag the frames as over sized because the added 4 
byte header exceeds the maximum allowable ethernet frame size of 1514 bytes.
(Of the NICs that can handle VLAN tags Intel EtherPro NICs are 
mentioned. There are more ...)

2. The hardware used. As mentioned in some of replies the most important 
issue seems to be for the CPU to be able to get the packets off the 
interface fast enough. This is limited by the PCI bus.

The recommendations so far are:

- Use a fast PCI bus 66Mhz/64bit or 100Mhz/64bit or PCI-X
(This would suggest using a 64bit CPU to take advantage of 64bit data 
transfer to the CPU)
- In case of multiple NICs make sure to PCI slot used by each NIC is on 
a separate bus.
- Use a single CPU (SMP introduces locking overhead which usually the 
advantage. This from the LVS site. Not sure if it is still an issue)
- The speed of CPU does not really matter. Current CPUs are fast enough 
to handle all the traffic.
- Memory for connection tracking (issue 3)

3. IPTables connection tracking. The CONNTRACK_MAX and HASHSIZE use 
'average values for "reasonable" use'. The CONNTRACK_MAX determines the 
maximum number of sessions that can be handled simultaneously. These two 
values determine the occupied amount of fixed, non-swappable kernel 
memory whether there are connections or not.

For a 32 bit pc with 512Mb of RAM this would be:

CONNTRACK_MAX = RAMSIZE (in bytes) / 16384
              = RAMSIZE (in MegaBytes) * 64
              = 512*64
              = 32768 (simultaneous netfilter connections by default)

(It is mentioned that this depends on the pointer size so that on a 
64Bit system the CONNTRACK_MAX is twice the size of that of a 32 system)

              = RAMSIZE (in bytes) / 131072
              = RAMSIZE (in MegaBytes) * 8
              = 4096 buckets (# of linked lists in the hashtable)

Here ideally the CONNTRACK_MAX value should be set high so that the 
kernel would not itterate over the linked list for a given bucket.

4. What about

- Large rule sets
- System memory requirements
- Logging (ULOG ?)
- Rule changes


Johan van Reijendam
Network Security Engineer
Stanford University

More information about the unisog mailing list