[unisog] IPTables as high banwidth firewall
Johan van Reijendam
jvanreij at stanford.edu
Wed Aug 3 22:00:45 GMT 2005
First of all thank you for your replies so far.
In reply to the question of what my throughput would be. I would like to
be able to put this firewall on a gigabit link. In many cases traffic
will be VLAN tagged. The system will most likely not be used at wire
speed but the closer I can get the better. Any tips, tweaks and
Most of the information that I have found so far is at least a couple
years old and obtained running older linux versions (generally Redhat
7.2 etc). Some of it from the LVS (Linux Virtual Server) project. From
what I have been able to read so far there are a number of issues that
need to be considered:
1. Being able to handle VLAN tags. Most interface cards do not support
VLAN tags and will flag the frames as over sized because the added 4
byte header exceeds the maximum allowable ethernet frame size of 1514 bytes.
(Of the NICs that can handle VLAN tags Intel EtherPro NICs are
mentioned. There are more ...)
2. The hardware used. As mentioned in some of replies the most important
issue seems to be for the CPU to be able to get the packets off the
interface fast enough. This is limited by the PCI bus.
The recommendations so far are:
- Use a fast PCI bus 66Mhz/64bit or 100Mhz/64bit or PCI-X
(This would suggest using a 64bit CPU to take advantage of 64bit data
transfer to the CPU)
- In case of multiple NICs make sure to PCI slot used by each NIC is on
a separate bus.
- Use a single CPU (SMP introduces locking overhead which usually the
advantage. This from the LVS site. Not sure if it is still an issue)
- The speed of CPU does not really matter. Current CPUs are fast enough
to handle all the traffic.
- Memory for connection tracking (issue 3)
3. IPTables connection tracking. The CONNTRACK_MAX and HASHSIZE use
'average values for "reasonable" use'. The CONNTRACK_MAX determines the
maximum number of sessions that can be handled simultaneously. These two
values determine the occupied amount of fixed, non-swappable kernel
memory whether there are connections or not.
For a 32 bit pc with 512Mb of RAM this would be:
CONNTRACK_MAX = RAMSIZE (in bytes) / 16384
= RAMSIZE (in MegaBytes) * 64
= 32768 (simultaneous netfilter connections by default)
(It is mentioned that this depends on the pointer size so that on a
64Bit system the CONNTRACK_MAX is twice the size of that of a 32 system)
HASHSIZE = CONNTRACK_MAX / 8
= RAMSIZE (in bytes) / 131072
= RAMSIZE (in MegaBytes) * 8
= 4096 buckets (# of linked lists in the hashtable)
Here ideally the CONNTRACK_MAX value should be set high so that the
kernel would not itterate over the linked list for a given bucket.
4. What about
- Large rule sets
- System memory requirements
- Logging (ULOG ?)
- Rule changes
Johan van Reijendam
Network Security Engineer
More information about the unisog