[KLUG Members] A plea for firewall ideas

[Adam Bultman]

Adam Tauno WIlliams wrote:

>>>We currently have 900 MHz celerons with 256 MB RAM, and they completely 
>>>choke at ~6mbit.
>>>I think the usage of the firewall has to be closely defined; because I'm 
>>>positive that the traffic at work could drop that box in a heartbeat.  
>>>Heck, we get the 900 busy really busy.
>>>Of course, what are we doing?
>>>We do a lot of NAT, some SNAT, and have a handful of internal zones. We 
>>>have ~20 ipsec VPNs, use iptables extensively, etc etc etc. 
>>>      
>>>
>>IMO, it's the VPN's that are using up your CPU (if they are used a lot).
>>    
>>
>
>Agree, nothing else described here should consume significant CPU power;
>unless of course there is a bug in your DNS or SMTP processes.
>
>  
>
During the problems, it is post-midnight, and the VPNs are usually 
silent.  If there is any traffic, it is only nagios pinging the other 
side to make sure things are up. 


>>That can be solved by a faster machine, or more machines.
>>    
>>
>
>I'd put the VPNs off on their own box.  IPSEC is evil, and needs to kept
>in a cage, and just for good measure - occasionally tortured.
>
>  
>
>>>The thing that drops the firewalls the worst, though, is sending mail - 
>>>      
>>>
>
>Something is VERY wrong.  Our sendmail boxes can flip streams of 10Mb
>attachment messages back and forth with no measurable effect of CPU load
>whatsoever.  Are your spooling directories hashed?  Have you disabled
>atime?  Your not using ext2/3 are you?  (ext2/3 will KILL YOUR CPU if
>you have large queuing/spooling directories, large we mean several
>thousand messages in the queue).
>
>  
>
We are sending ~250k messages an hour during these problems, and I'm not 
worried about mail server throughput, only firewall throughput.  The two 
mail servers are behind the firewall, not on the firewall.


>>>not just normal mail, but large amounts of mail for clients. We have two 
>>>servers that will send this mail, and the activity usually peaks at 8 
>>>Mbit for about 4 hours (Connections come in from one f the internal 
>>>zones, gets SNATted on the way out, etc).
>>>      
>>>
>
>Sounds the same as here.
>
>Mailclient<---SMTP--->SMTPServer<--SMTP---|Firewall,NAT|--->Internet
>
>  
>
>> Those peaks used to be at 14 
>>    
>>
>>>Mbit, and for shorter, until we got VRRP running.  We've capped our 
>>>bandwidth that way because the CPU stays at 100% usage during the 
>>>sends.     I'm sure that if we had faster CPUs, we'd be able to send 
>>>faster.
>>>      
>>>
>
>Seems really odd unless your VPN compressors are just swamping the
>CPUs.  There is nothing else in this scenario that would account for CPU
>swamping.
>
>  
>
Again, no  VPN traffic at all to speak of, or if any, a few telnet 
sessions here and there running for the night-owl worker.

>>I'm not following why email would be different than other internet
>>traffic, and why passing traffic should use so much CPU power.  
>>    
>>
>
>  
>
In speaking with someone else, it was a matter of "open TCP 
connections", not just 'how much traffic I'm sending'.  Ipsec0 tells me 
that it has received 450 MB, and sent 3.8 GB. Not enough for the amount 
of time the system has been up - probably ~100 days.

And let's not forget - things got a lot worse when VRRP was introduced 
to allow failover between the two firewalls.

>Right.
>
>  
>
>>Is the firewall also the email server?  
>>Or maybe those email go over your VPN's?
>>    
>>
>
>_______________________________________________
>Members mailing list
>Members at kalamazoolinux.org
>
>  
>