[CentOS] Optimizing CentOS for gigabit firewall

nate centos at linuxpowered.net
Fri Dec 18 17:06:57 UTC 2009


sadas sadas wrote:
>
> Hi,
>  I want to configure CentOS on powerful server with gigabit
> adapters as transparent bridge and deploy it in front of server farm.
> Can you tell how to optimize the OS for hight packet processing? What
> configurations I need to do to achieve very hight speeds and thousands of
>  packets?

iptables makes a TERRIBLE firewall, use pf instead

http://www.openbsd.org/faq/pf/index.html

Also consider how your going to provide redundancy, if you have a web
server farm you want to protect them with at least two firewalls, not
one.

http://www.openbsd.org/faq/pf/carp.html

I haven't used CARP myself but did setup a pair of pf firewalls about
5 years ago in a large network in bridging mode, the layer 3 fault
tolerance was provided by OSPF on the core switches, the firewalls
were active-active(with pfsync) since they were layer 2 only.

Maybe someday linux will fix the overly complex iptables system to
something that is more manageable, not holding my breath though.

If you want really high speed(say multi GbE) though you'll want/need
to go with an appliance based solution.

Also since your referring to a web server farm, it is perfectly
acceptable to not use firewalls these days, if you have a good
load balancer that serves the same role as a firewall in that it
only passes traffic that you specifically configure it to pass. Also
in high traffic environments the performance of load balancers
destroys most firewalls, making investing in a high end firewall
a very expensive proposition.

I've worked for the better part of the last 10 years with
companies who did not have firewalls in front of their web servers
for this reason, it didn't make sense $$ wise, because the benefit
wasn't there, and the added complexity, and performance implications
wasn't worth it either. Talk to most load balancing companies and
they'll tell you this themselves.

nate




More information about the CentOS mailing list