thus Pasi Kärkkäinen spake:
On Mon, Dec 21, 2009 at 10:17:48AM +0100, Timo Schoeler wrote:
thus Pasi Kärkkäinen spake:
On Fri, Dec 18, 2009 at 09:36:57PM +0200, sadas sadas wrote:
I will explain more deeply. I need to deploy a firewall(s) in front of web server farm because I need to do billing - I will use CentOS with iptables
- ipset to store a list if my clients so when client doesn't pay his
server's IP is out of the list and he can't access the web server.
Second - I know that iptables is very heavy and it's not recommended to use it in gigabit firewall but I don't have a choice as far as I know only ipset works with iptables. I don't know can pf store 500 IPs in one list. Ipset is written for that purpose.
I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea?
I've been using Linux (CentOS5) on gigabit firewalls, for thousands of users. No problems.
Yeah, but what is your ruleset?
Hundreds of chains, thousands of rules..
Just make sure ip_conntrack_max is big enough, so you don't run out of connections.
Just three months ago I saw a CentOS L2TP cluster explode because of this -- and the machines have _plenty_ of RAM each. Turned off ip[6]tables entirely and let the Ciscos do this was the only solution.
The default values are way too low. First step is to increase that value.
Was the first thing I tried; unfortunately, I didn't really see sense in giving iptables the vast majority of 32GiByte RAM...
There are other things to tune to optimize the performance, but it's certainly doable with linux+iptables.
Nail, hammer, etc. ;)
-- Pasi
Timo