[KLUG Members] A plea for firewall ideas

[Adam Tauno WIlliams]

> > We currently have 900 MHz celerons with 256 MB RAM, and they completely 
> > choke at ~6mbit.
> > I think the usage of the firewall has to be closely defined; because I'm 
> > positive that the traffic at work could drop that box in a heartbeat.  
> > Heck, we get the 900 busy really busy.
> > Of course, what are we doing?
> > We do a lot of NAT, some SNAT, and have a handful of internal zones. We 
> > have ~20 ipsec VPNs, use iptables extensively, etc etc etc. 
> IMO, it's the VPN's that are using up your CPU (if they are used a lot).

Agree, nothing else described here should consume significant CPU power;
unless of course there is a bug in your DNS or SMTP processes.

> That can be solved by a faster machine, or more machines.

I'd put the VPNs off on their own box.  IPSEC is evil, and needs to kept
in a cage, and just for good measure - occasionally tortured.

> > The thing that drops the firewalls the worst, though, is sending mail - 

Something is VERY wrong.  Our sendmail boxes can flip streams of 10Mb
attachment messages back and forth with no measurable effect of CPU load
whatsoever.  Are your spooling directories hashed?  Have you disabled
atime?  Your not using ext2/3 are you?  (ext2/3 will KILL YOUR CPU if
you have large queuing/spooling directories, large we mean several
thousand messages in the queue).

> > not just normal mail, but large amounts of mail for clients. We have two 
> > servers that will send this mail, and the activity usually peaks at 8 
> > Mbit for about 4 hours (Connections come in from one f the internal 
> > zones, gets SNATted on the way out, etc).

Sounds the same as here.

Mailclient<---SMTP--->SMTPServer<--SMTP---|Firewall,NAT|--->Internet

>  Those peaks used to be at 14 
> > Mbit, and for shorter, until we got VRRP running.  We've capped our 
> > bandwidth that way because the CPU stays at 100% usage during the 
> > sends.     I'm sure that if we had faster CPUs, we'd be able to send 
> > faster.

Seems really odd unless your VPN compressors are just swamping the
CPUs.  There is nothing else in this scenario that would account for CPU
swamping.

> I'm not following why email would be different than other internet
> traffic, and why passing traffic should use so much CPU power.  

Right.

> Is the firewall also the email server?  
> Or maybe those email go over your VPN's?