[KLUG Members] A plea for firewall ideas

[Phillip Hofmeister]

On Tue, 31 Aug 2004 at 03:43:16PM -0400, Adam Bultman wrote:
> 
> >
> >If a slow Pentium 100-200 Mhz machine can firewall a full T1 without
> >much noticeable increase in load average, then why can't a slightly
> >faster machine firewall a much larger pipe?
> >
> > 
> >
> We currently have 900 MHz celerons with 256 MB RAM, and they completely 
> choke at ~6mbit.
> 
> I think the usage of the firewall has to be closely defined; because I'm 
> positive that the traffic at work could drop that box in a heartbeat.  
> Heck, we get the 900 busy really busy.

One of the keys, of course, is to make your firewall rules such that
packets get examined as least as possible.  I have 3 interfaces in my
machine (eth0, eth1, lo).  There is only 3 packets in my INPUT chain,
one that directs eth0 traffic to a rigorous test, eth1 to a lesser test,
and one that just ACCEPTs traffic on lo.

In the eth0 chain I don't run a bunch of ICMP test on a packet that is
TCP, instead, I have a rules that check the protocol type and then sends
it down the proper subchain.

Be conscious of how you have your rules set up and what they are doing.

-- 
Phillip Hofmeister