I will explain more deeply. I need to deploy a firewall(s) in front of web server farm because I need to do billing - I will use CentOS with iptables + ipset to store a list if my clients so when client doesn't pay his server's IP is out of the list and he can't access the web server.
Second - I know that iptables is very heavy and it's not recommended to use it in gigabit firewall but I don't have a choice as far as I know only ipset works with iptables. I don't know can pf store 500 IPs in one list. Ipset is written for that purpose.
I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea?
regards
I'll second damn near everything nate said, and hopefully add a tidbit or two.
If you're new to BSD, you may want to consider the pfsense project in the aforementioned active-active configuration.
It gives you a nice, intuitive gui to manage your failover firewalls, if you insist on putting a firewall in front of your web servers.
Better to secure the box, leave only the ports you need open on the public interfaces, and don't firewall them.
Also, I'd strongly consider running your firewalls with no disk at all. A Live CD, CF card or USB Flash to boot off of, remote syslog and one less subsystem (disks) to buy/fail makes for some mighty cheap 1U servers. A single dual-core with core speeds above 3.0Ghz and 4GB of RAM is to pass Gb @ line rate - ethernet overhead. Truth be told, it's already being done on much less than that. You can also load balance your traffic, albiet somewhat primitively with it. If you really want massive throughput, consider toying around with extremely expensive 10G gear, size RAM appropriately, and see how PF performs under multi-processor, high-core speed. but if you're handling over a Gb of traffic and you can't split the application into multiple farms, that's the best move.
Akamai, for instance, runs 10G to each rack, each rack has around 20-24 servers, and they run GB to the server.
pfsense.org has extensive information about hardware requirements, features, and what you're looking to do.
https://calomel.org/network_performance.html is an excellent BSD firewall performance site.
One thing to note, you are claiming to want to deploy this as a passive bridge. You cannot do what you want to do running anything in bridge mode. The packets need to route somehow. Get a /29 from your colo provider and ask to have your existing block routed through it once you've tested it.
Another option for a seamless failover, is to alias a different range of IP's to the server interfaces, put a /29 and whatever netblock you want to end up being your public IP block on the PFSense hardware. When you're convinced everything's working through rigorous testing, put a test domain up pointing to that block, modify virtualhost entries on the servers to respond to that domain with your production web site, and test some more. Once you're convinced that's working perfectly, make the changes in DNS to point your production domain at the IP's you want, and failover will happen with DNS convergence.
Peter
On Fri, Dec 18, 2009 at 9:06 AM, nate centos@linuxpowered.net > wrote: sadas sadas wrote:
Hi,
I want to configure CentOS on powerful server with gigabit
adapters as transparent bridge and deploy it in front of server farm. Can you tell how to optimize the OS for hight packet processing? What configurations I need to do to achieve very hight speeds and thousands of
packets?
iptables makes a TERRIBLE firewall, use pf instead
http://www.openbsd.org/faq/pf/index.html
Also consider how your going to provide redundancy, if you have a web server farm you want to protect them with at least two firewalls, not one.
http://www.openbsd.org/faq/pf/carp.html
I haven't used CARP myself but did setup a pair of pf firewalls about 5 years ago in a large network in bridging mode, the layer 3 fault tolerance was provided by OSPF on the core switches, the firewalls were active-active(with pfsync) since they were layer 2 only.
Maybe someday linux will fix the overly complex iptables system to something that is more manageable, not holding my breath though.
If you want really high speed(say multi GbE) though you'll want/need to go with an appliance based solution.
Also since your referring to a web server farm, it is perfectly acceptable to not use firewalls these days, if you have a good load balancer that serves the same role as a firewall in that it only passes traffic that you specifically configure it to pass. Also in high traffic environments the performance of load balancers destroys most firewalls, making investing in a high end firewall a very expensive proposition.
I've worked for the better part of the last 10 years with companies who did not have firewalls in front of their web servers for this reason, it didn't make sense $ wise, because the benefit wasn't there, and the added complexity, and performance implications wasn't worth it either. Talk to most load balancing companies and they'll tell you this themselves.
nate
On Fri, Dec 18, 2009 at 2:36 PM, sadas sadas mailrc@abv.bg wrote:
I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea?
I think you'll find that this kind of thing can be handled by pf without pf breaking a sweat.
And you can ask 100 people what they think you'll find and get 100 different answers. What you really need to do is configure this setup for a controlled test. Only then will you have a good idea what to expect when you go into production.
sadas sadas wrote:
I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea?
Hundreds?
http://www.openbsd.org/faq/pf/tables.html
"A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups against a table are very fast and consume less memory and processor time than lists. For this reason, a table is ideal for holding a large group of addresses as the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses. Tables can be used in the following ways:
* source and/or destination address in filter, NAT, and redirection rules. * translation address in NAT rules. * redirection address in redirection rules. * destination address in route-to, reply-to, and dup-to filter rule options."
nuff said ?
I love linux, I've been using it for almost 15 years now, I absolutely hate iptables(and ipchains, and ipfwadm). By contrast I absolutely hate everything about OpenBSD except for pf(which I love, ipfw and ipf aren't too bad either, at least for the era), so I use OpenBSD for firewalls, and linux for everything else.
nate
I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea?
Hundreds?
http://www.openbsd.org/faq/pf/tables.html
"A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups against a table are very fast and consume less memory and processor time than lists. For this reason, a table is ideal for holding a large group of addresses as the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses. Tables can be used in the following ways:
* source and/or destination address in filter, NAT, and redirection rules. * translation address in NAT rules. * redirection address in redirection rules. * destination address in route-to, reply-to, and dup-to filter rule
options."
nuff said ?
I love linux, I've been using it for almost 15 years now, I absolutely hate iptables(and ipchains, and ipfwadm). By contrast I absolutely hate everything about OpenBSD except for pf(which I love, ipfw and ipf aren't too bad either, at least for the era), so I use OpenBSD for firewalls, and linux for everything else.
I can back this; during 2009, I deployed a bunch of load balancers running OpenBSD (using pf, carpd, and relayd). I used to be a super die hard BSD guy, but through the years and having used/deployed/propagated NetBSD, then FreeBSD, then OpenBSD, then NetBSD again, I took one of my usual once-a-year looks at GNU/Linux (this time, it was CentOS, after having worked with RHEL for some years), I got settled here.
Long story short: I'd really recommend OpenBSD for your task. iptables really sucks. I recently deployed some machines running several virtual instances (however still the cheapest *proven* way to get several IP stacks in Linux) doing L2 routing, I threw iptables off of that machines because it just can't handle stuff at that rate. OpenBSD rocks, I even have a setup running (active-active, load balanced) at about 40Mbps using Alix boards [0] -- they rock, and they are no way busy.
OpenBSDs documentation is the best out there, it's documentational quality is what I really really badly miss in the Linux world. However, the community is a bunch of (sorry in advance) assholes. But this is well known throughout the internet, so: You have been warned. Great product, totally lame vendor. ;)
Timo
[0] -- http://pcengines.ch/alix.htm
nate
I don't know jack about IPSet, but I know enabling or disabling hosts in bare stock PF without the gui in front of it is about as easy as it gets.
The PF configuration file syntax was designed from the ground up to be sane, unlike iptables, which typically needs some decent sysadmin scripting or using fwbuilder to make any good sense of. There is no finer opensource firewall product on the market, in terms of performance, ease of configuration and use, and other issues.
If you're not opposed to vi, for what you're looking to accomplish, moving to BSD and pf is a no-brainer. PF can definitely handle a list of 500 hosts and anything else you've mentioned. It's absolutely capable, easier, and in general, for anything that involves packet filtering at all, about as good as it gets.
Peter
On Fri, Dec 18, 2009 at 11:36 AM, sadas sadas mailrc@abv.bg wrote:
I will explain more deeply. I need to deploy a firewall(s) in front of web server farm because I need to do billing - I will use CentOS with iptables + ipset to store a list if my clients so when client doesn't pay his server's IP is out of the list and he can't access the web server.
Second - I know that iptables is very heavy and it's not recommended to use it in gigabit firewall but I don't have a choice as far as I know only ipset works with iptables. I don't know can pf store 500 IPs in one list. Ipset is written for that purpose.
I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea?
regards
I'll second damn near everything nate said, and hopefully add a tidbit or two.
If you're new to BSD, you may want to consider the pfsense project in the aforementioned active-active configuration.
It gives you a nice, intuitive gui to manage your failover firewalls, if you insist on putting a firewall in front of your web servers.
Better to secure the box, leave only the ports you need open on the public interfaces, and don't firewall them.
Also, I'd strongly consider running your firewalls with no disk at all. A Live CD, CF card or USB Flash to boot off of, remote syslog and one less subsystem (disks) to buy/fail makes for some mighty cheap 1U servers. A single dual-core with core speeds above 3.0Ghz and 4GB of RAM is to pass Gb @ line rate - ethernet overhead. Truth be told, it's already being done on much less than that. You can also load balance your traffic, albiet somewhat primitively with it. If you really want massive throughput, consider toying around with extremely expensive 10G gear, size RAM appropriately, and see how PF performs under multi-processor, high-core speed. but if you're handling over a Gb of traffic and you can't split the application into multiple farms, that's the best move.
Akamai, for instance, runs 10G to each rack, each rack has around 20-24 servers, and they run GB to the server.
pfsense.org has extensive information about hardware requirements, features, and what you're looking to do.
https://calomel.org/network_performance.html is an excellent BSD firewall performance site.
One thing to note, you are claiming to want to deploy this as a passive bridge. You cannot do what you want to do running anything in bridge mode. The packets need to route somehow. Get a /29 from your colo provider and ask to have your existing block routed through it once you've tested it.
Another option for a seamless failover, is to alias a different range of IP's to the server interfaces, put a /29 and whatever netblock you want to end up being your public IP block on the PFSense hardware. When you're convinced everything's working through rigorous testing, put a test domain up pointing to that block, modify virtualhost entries on the servers to respond to that domain with your production web site, and test some more. Once you're convinced that's working perfectly, make the changes in DNS to point your production domain at the IP's you want, and failover will happen with DNS convergence.
Peter
On Fri, Dec 18, 2009 at 9:06 AM, nate centos@linuxpowered.net wrote:
sadas sadas wrote:
Hi, I want to configure CentOS on powerful server with gigabit adapters as transparent bridge and deploy it in front of server farm. Can you tell how to optimize the OS for hight packet processing? What configurations I need to do to achieve very hight speeds and thousands
of
packets?
iptables makes a TERRIBLE firewall, use pf instead
http://www.openbsd.org/faq/pf/index.html
Also consider how your going to provide redundancy, if you have a web server farm you want to protect them with at least two firewalls, not one.
http://www.openbsd.org/faq/pf/carp.html
I haven't used CARP myself but did setup a pair of pf firewalls about 5 years ago in a large network in bridging mode, the layer 3 fault tolerance was provided by OSPF on the core switches, the firewalls were active-active(with pfsync) since they were layer 2 only.
Maybe someday linux will fix the overly complex iptables system to something that is more manageable, not holding my breath though.
If you want really high speed(say multi GbE) though you'll want/need to go with an appliance based solution.
Also since your referring to a web server farm, it is perfectly acceptable to not use firewalls these days, if you have a good load balancer that serves the same role as a firewall in that it only passes traffic that you specifically configure it to pass. Also in high traffic environments the performance of load balancers destroys most firewalls, making investing in a high end firewall a very expensive proposition.
I've worked for the better part of the last 10 years with companies who did not have firewalls in front of their web servers for this reason, it didn't make sense $ wise, because the benefit wasn't there, and the added complexity, and performance implications wasn't worth it either. Talk to most load balancing companies and they'll tell you this themselves.
nate
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 12/18/2009 10:05 PM, Peter Serwe wrote:
I don't know jack about IPSet, but I know enabling or disabling hosts in bare stock PF without the gui in front of it is about as easy as it gets.
The PF configuration file syntax was designed from the ground up to be sane, unlike iptables, which typically needs some decent sysadmin scripting or using fwbuilder to make any good sense of. There is no finer opensource firewall product on the market, in terms of performance, ease of configuration and use, and other issues.
If you're not opposed to vi, for what you're looking to accomplish, moving to BSD and pf is a no-brainer. PF can definitely handle a list of 500 hosts and anything else you've mentioned. It's absolutely capable, easier, and in general, for anything that involves packet filtering at all, about as good as it gets.
Peter
Just as recommendation: Besides OpenBSD's really phantastis documentation, there are some books that are really great:
The Book of PF: A No-Nonsense Guide to the BSD Firewall (by Peter N. M. Hansteen)
The Openbsd Pf Packet Filter Book (by Jeremy C. Reed)
HTH,
Timo
On Friday 18 December 2009 16:05, Peter Serwe wrote:
I don't know jack about IPSet, but I know enabling or disabling hosts in bare stock PF without the gui in front of it is about as easy as it gets.
IPTALES is the same;
iptables -A [INPUT/FORWARD] -d <ip address> -j [REJECT/DROP]
The PF configuration file syntax was designed from the ground up to be sane, unlike iptables, which typically needs some decent sysadmin scripting or using fwbuilder to make any good sense of.
I beg to differ here. IPTABLES is not that hard when you understand it. Like anything else, once you know what you are doing it isn't that hard. And no, I have never used any GUI program to configure my firewalls.
There is no finer opensource firewall product on the market, in terms of performance, ease of configuration and use, and other issues.
This is all subjective to the user. I would say that PF is a nightmare and IPTABLES is easier to use.
If you're not opposed to vi, for what you're looking to accomplish, moving to BSD and pf is a no-brainer. PF can definitely handle a list of 500 hosts and anything else you've mentioned. It's absolutely capable, easier, and in general, for anything that involves packet filtering at all, about as good as it gets.
Again this is all subjective to the user.
On Fri, Dec 18, 2009 at 09:36:57PM +0200, sadas sadas wrote:
I will explain more deeply. I need to deploy a firewall(s) in front of web server farm because I need to do billing - I will use CentOS with iptables
- ipset to store a list if my clients so when client doesn't pay his
server's IP is out of the list and he can't access the web server.
Second - I know that iptables is very heavy and it's not recommended to use it in gigabit firewall but I don't have a choice as far as I know only ipset works with iptables. I don't know can pf store 500 IPs in one list. Ipset is written for that purpose.
I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea?
I've been using Linux (CentOS5) on gigabit firewalls, for thousands of users. No problems.
Just make sure ip_conntrack_max is big enough, so you don't run out of connections.
There are other things to tune to optimize the performance, but it's certainly doable with linux+iptables.
-- Pasi
regards
peter.serwe@gmail.comcentos@centos.orgI'll second damn near everything nate said, and hopefully add a tidbit or two.
If you're new to BSD, you may want to consider the pfsense project in the aforementioned active-active configuration.
It gives you a nice, intuitive gui to manage your failover firewalls, if you insist on putting a firewall in front of your web servers.
Better to secure the box, leave only the ports you need open on the public interfaces, and don't firewall them.
Also, I'd strongly consider running your firewalls with no disk at all. A Live CD, CF card or USB Flash to boot off of, remote syslog and one less subsystem (disks) to buy/fail makes for some mighty cheap 1U servers. A single dual-core with core speeds above 3.0Ghz and 4GB of RAM is to pass Gb @ line rate - ethernet overhead. Truth be told, it's already being done on much less than that. You can also load balance your traffic, albiet somewhat primitively with it. If you really want massive throughput, consider toying around with extremely expensive 10G gear, size RAM appropriately, and see how PF performs under multi-processor, high-core speed. but if you're handling over a Gb of traffic and you can't split the application into multiple farms, that's the best move.
Akamai, for instance, runs 10G to each rack, each rack has around 20-24 servers, and they run GB to the server.
[1]pfsense.org has extensive information about hardware requirements, features, and what you're looking to do.
[2]https://calomel.org/network_performance.html is an excellent BSD firewall performance site.
One thing to note, you are claiming to want to deploy this as a passive bridge. You cannot do what you want to do running anything in bridge mode. The packets need to route somehow. Get a /29 from your colo provider and ask to have your existing block routed through it once you've tested it.
Another option for a seamless failover, is to alias a different range of IP's to the server interfaces, put a /29 and whatever netblock you want to end up being your public IP block on the PFSense hardware. When you're convinced everything's working through rigorous testing, put a test domain up pointing to that block, modify virtualhost entries on the servers to respond to that domain with your production web site, and test some more. Once you're convinced that's working perfectly, make the changes in DNS to point your production domain at the IP's you want, and failover will happen with DNS convergence.
Peter
On Fri, Dec 18, 2009 at 9:06 AM, nate <[3]centos@linuxpowered.net> wrote:
sadas sadas wrote: > > Hi, > I want to configure CentOS on powerful server with gigabit > adapters as transparent bridge and deploy it in front of server farm. > Can you tell how to optimize the OS for hight packet processing? What > configurations I need to do to achieve very hight speeds and thousands of > packets? iptables makes a TERRIBLE firewall, use pf instead [4]http://www.openbsd.org/faq/pf/index.html Also consider how your going to provide redundancy, if you have a web server farm you want to protect them with at least two firewalls, not one. [5]http://www.openbsd.org/faq/pf/carp.html I haven't used CARP myself but did setup a pair of pf firewalls about 5 years ago in a large network in bridging mode, the layer 3 fault tolerance was provided by OSPF on the core switches, the firewalls were active-active(with pfsync) since they were layer 2 only. Maybe someday linux will fix the overly complex iptables system to something that is more manageable, not holding my breath though. If you want really high speed(say multi GbE) though you'll want/need to go with an appliance based solution. Also since your referring to a web server farm, it is perfectly acceptable to not use firewalls these days, if you have a good load balancer that serves the same role as a firewall in that it only passes traffic that you specifically configure it to pass. Also in high traffic environments the performance of load balancers destroys most firewalls, making investing in a high end firewall a very expensive proposition. I've worked for the better part of the last 10 years with companies who did not have firewalls in front of their web servers for this reason, it didn't make sense $ wise, because the benefit wasn't there, and the added complexity, and performance implications wasn't worth it either. Talk to most load balancing companies and they'll tell you this themselves. nate
/centos@centos.org/peter.serwe@gmail.com
References
Visible links
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
thus Pasi Kärkkäinen spake:
On Fri, Dec 18, 2009 at 09:36:57PM +0200, sadas sadas wrote:
I will explain more deeply. I need to deploy a firewall(s) in front of web server farm because I need to do billing - I will use CentOS with iptables
- ipset to store a list if my clients so when client doesn't pay his
server's IP is out of the list and he can't access the web server.
Second - I know that iptables is very heavy and it's not recommended to use it in gigabit firewall but I don't have a choice as far as I know only ipset works with iptables. I don't know can pf store 500 IPs in one list. Ipset is written for that purpose.
I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea?
I've been using Linux (CentOS5) on gigabit firewalls, for thousands of users. No problems.
Yeah, but what is your ruleset?
Just make sure ip_conntrack_max is big enough, so you don't run out of connections.
Just three months ago I saw a CentOS L2TP cluster explode because of this -- and the machines have _plenty_ of RAM each. Turned off ip[6]tables entirely and let the Ciscos do this was the only solution.
There are other things to tune to optimize the performance, but it's certainly doable with linux+iptables.
Nail, hammer, etc. ;)
-- Pasi
Timo
On Mon, Dec 21, 2009 at 10:17:48AM +0100, Timo Schoeler wrote:
thus Pasi Kärkkäinen spake:
On Fri, Dec 18, 2009 at 09:36:57PM +0200, sadas sadas wrote:
I will explain more deeply. I need to deploy a firewall(s) in front of web server farm because I need to do billing - I will use CentOS with iptables
- ipset to store a list if my clients so when client doesn't pay his
server's IP is out of the list and he can't access the web server.
Second - I know that iptables is very heavy and it's not recommended to use it in gigabit firewall but I don't have a choice as far as I know only ipset works with iptables. I don't know can pf store 500 IPs in one list. Ipset is written for that purpose.
I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea?
I've been using Linux (CentOS5) on gigabit firewalls, for thousands of users. No problems.
Yeah, but what is your ruleset?
Hundreds of chains, thousands of rules..
Just make sure ip_conntrack_max is big enough, so you don't run out of connections.
Just three months ago I saw a CentOS L2TP cluster explode because of this -- and the machines have _plenty_ of RAM each. Turned off ip[6]tables entirely and let the Ciscos do this was the only solution.
The default values are way too low. First step is to increase that value.
There are other things to tune to optimize the performance, but it's certainly doable with linux+iptables.
Nail, hammer, etc. ;)
-- Pasi
thus Pasi Kärkkäinen spake:
On Mon, Dec 21, 2009 at 10:17:48AM +0100, Timo Schoeler wrote:
thus Pasi Kärkkäinen spake:
On Fri, Dec 18, 2009 at 09:36:57PM +0200, sadas sadas wrote:
I will explain more deeply. I need to deploy a firewall(s) in front of web server farm because I need to do billing - I will use CentOS with iptables
- ipset to store a list if my clients so when client doesn't pay his
server's IP is out of the list and he can't access the web server.
Second - I know that iptables is very heavy and it's not recommended to use it in gigabit firewall but I don't have a choice as far as I know only ipset works with iptables. I don't know can pf store 500 IPs in one list. Ipset is written for that purpose.
I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea?
I've been using Linux (CentOS5) on gigabit firewalls, for thousands of users. No problems.
Yeah, but what is your ruleset?
Hundreds of chains, thousands of rules..
Just make sure ip_conntrack_max is big enough, so you don't run out of connections.
Just three months ago I saw a CentOS L2TP cluster explode because of this -- and the machines have _plenty_ of RAM each. Turned off ip[6]tables entirely and let the Ciscos do this was the only solution.
The default values are way too low. First step is to increase that value.
Was the first thing I tried; unfortunately, I didn't really see sense in giving iptables the vast majority of 32GiByte RAM...
There are other things to tune to optimize the performance, but it's certainly doable with linux+iptables.
Nail, hammer, etc. ;)
-- Pasi
Timo