[CentOS] Optimizing CentOS for gigabit firewall

[Timo Schoeler]

thus Pasi Kärkkäinen spake:
> On Mon, Dec 21, 2009 at 10:17:48AM +0100, Timo Schoeler wrote:
>> thus Pasi Kärkkäinen spake:
>>> On Fri, Dec 18, 2009 at 09:36:57PM +0200, sadas sadas wrote:
>>>>    I will explain more deeply. I need to deploy a firewall(s) in front of web
>>>>    server farm because I need to do billing - I will use CentOS with iptables
>>>>    + ipset to store a list if my clients so when client doesn't pay his
>>>>    server's IP is out of the list and he can't access the web server.
>>>>
>>>>    Second - I know that iptables is very heavy and it's not recommended to
>>>>    use it in gigabit firewall but I don't have a choice as far as I know only
>>>>    ipset works with iptables. I don't know can pf store 500 IPs in one list.
>>>>    Ipset is written for that purpose.
>>>>
>>>>    I can't find information is there linux or BSD distribution with effective
>>>>    firewall that uses optimized algorithm to store hundreds of IPs and to
>>>>    forward huge traffic. Any idea?
>>>>
>>> I've been using Linux (CentOS5) on gigabit firewalls, for thousands of
>>> users. No problems.
>> Yeah, but what is your ruleset?
>>
> 
> Hundreds of chains, thousands of rules..
> 
>>> Just make sure ip_conntrack_max is big enough, so you don't run out of
>>> connections. 
>> Just three months ago I saw a CentOS L2TP cluster explode because of 
>> this -- and the machines have _plenty_ of RAM each. Turned off 
>> ip[6]tables entirely and let the Ciscos do this was the only solution.
>>
> 
> The default values are way too low. First step is to increase that
> value.

Was the first thing I tried; unfortunately, I didn't really see sense in 
giving iptables the vast majority of 32GiByte RAM...

>>> There are other things to tune to optimize the performance, but it's
>>> certainly doable with linux+iptables.
>> Nail, hammer, etc. ;)
>>
> 
> -- Pasi

Timo