[CentOS] Optimizing CentOS for gigabit firewall
Timo Schoeler
timo.schoeler at riscworks.net
Mon Dec 21 10:20:32 UTC 2009
thus Pasi Kärkkäinen spake:
> On Mon, Dec 21, 2009 at 10:17:48AM +0100, Timo Schoeler wrote:
>> thus Pasi Kärkkäinen spake:
>>> On Fri, Dec 18, 2009 at 09:36:57PM +0200, sadas sadas wrote:
>>>> I will explain more deeply. I need to deploy a firewall(s) in front of web
>>>> server farm because I need to do billing - I will use CentOS with iptables
>>>> + ipset to store a list if my clients so when client doesn't pay his
>>>> server's IP is out of the list and he can't access the web server.
>>>>
>>>> Second - I know that iptables is very heavy and it's not recommended to
>>>> use it in gigabit firewall but I don't have a choice as far as I know only
>>>> ipset works with iptables. I don't know can pf store 500 IPs in one list.
>>>> Ipset is written for that purpose.
>>>>
>>>> I can't find information is there linux or BSD distribution with effective
>>>> firewall that uses optimized algorithm to store hundreds of IPs and to
>>>> forward huge traffic. Any idea?
>>>>
>>> I've been using Linux (CentOS5) on gigabit firewalls, for thousands of
>>> users. No problems.
>> Yeah, but what is your ruleset?
>>
>
> Hundreds of chains, thousands of rules..
>
>>> Just make sure ip_conntrack_max is big enough, so you don't run out of
>>> connections.
>> Just three months ago I saw a CentOS L2TP cluster explode because of
>> this -- and the machines have _plenty_ of RAM each. Turned off
>> ip[6]tables entirely and let the Ciscos do this was the only solution.
>>
>
> The default values are way too low. First step is to increase that
> value.
Was the first thing I tried; unfortunately, I didn't really see sense in
giving iptables the vast majority of 32GiByte RAM...
>>> There are other things to tune to optimize the performance, but it's
>>> certainly doable with linux+iptables.
>> Nail, hammer, etc. ;)
>>
>
> -- Pasi
Timo
More information about the CentOS
mailing list