[CentOS] Optimizing CentOS for gigabit firewall

Mon Dec 21 09:57:17 UTC 2009
Pasi Kärkkäinen <pasik at iki.fi>

On Mon, Dec 21, 2009 at 10:17:48AM +0100, Timo Schoeler wrote:
> thus Pasi Kärkkäinen spake:
> > On Fri, Dec 18, 2009 at 09:36:57PM +0200, sadas sadas wrote:
> >>    I will explain more deeply. I need to deploy a firewall(s) in front of web
> >>    server farm because I need to do billing - I will use CentOS with iptables
> >>    + ipset to store a list if my clients so when client doesn't pay his
> >>    server's IP is out of the list and he can't access the web server.
> >>
> >>    Second - I know that iptables is very heavy and it's not recommended to
> >>    use it in gigabit firewall but I don't have a choice as far as I know only
> >>    ipset works with iptables. I don't know can pf store 500 IPs in one list.
> >>    Ipset is written for that purpose.
> >>
> >>    I can't find information is there linux or BSD distribution with effective
> >>    firewall that uses optimized algorithm to store hundreds of IPs and to
> >>    forward huge traffic. Any idea?
> >>
> > 
> > I've been using Linux (CentOS5) on gigabit firewalls, for thousands of
> > users. No problems.
> 
> Yeah, but what is your ruleset?
>

Hundreds of chains, thousands of rules..

> > Just make sure ip_conntrack_max is big enough, so you don't run out of
> > connections. 
> 
> Just three months ago I saw a CentOS L2TP cluster explode because of 
> this -- and the machines have _plenty_ of RAM each. Turned off 
> ip[6]tables entirely and let the Ciscos do this was the only solution.
> 

The default values are way too low. First step is to increase that
value.

> > There are other things to tune to optimize the performance, but it's
> > certainly doable with linux+iptables.
> 
> Nail, hammer, etc. ;)
> 

-- Pasi