[KLUG Members] A plea for firewall ideas

[Adam Tauno WIlliams]

> We are sending ~250k messages an hour during these problems, and I'm not 
> worried about mail server throughput, only firewall throughput.  The two 
> mail servers are behind the firewall, not on the firewall.

Honestly, it is hard to believe there is a legitimate use for that
quantity of messages.  Thats a message for every resident of the state
of Michigan in only a few hours;  major universities don't generate that
much traffic.

> >>>not just normal mail, but large amounts of mail for clients. We have two 
> >>>servers that will send this mail, and the activity usually peaks at 8 
> >>>Mbit for about 4 hours (Connections come in from one f the internal 
> >>>zones, gets SNATted on the way out, etc).

How big is your Internet pipeline?

> >>I'm not following why email would be different than other internet
> >>traffic, and why passing traffic should use so much CPU power.  
> In speaking with someone else, it was a matter of "open TCP 
> connections", not just 'how much traffic I'm sending'.  

This is possible with that insane number of connections,  you might just
want to try adjusting FIN/ACK timeouts as you probably have lots dead
remotes with that number of connections.  There are several TCP
connection handling parameters available via sysctl.

Some are covered in -
ftp://ftp.kalamazoolinux.org/pub/pdf/PerfTune2001.pdf