thus Pasi Kärkkäinen spake: > On Mon, Dec 21, 2009 at 10:17:48AM +0100, Timo Schoeler wrote: >> thus Pasi Kärkkäinen spake: >>> On Fri, Dec 18, 2009 at 09:36:57PM +0200, sadas sadas wrote: >>>> I will explain more deeply. I need to deploy a firewall(s) in front of web >>>> server farm because I need to do billing - I will use CentOS with iptables >>>> + ipset to store a list if my clients so when client doesn't pay his >>>> server's IP is out of the list and he can't access the web server. >>>> >>>> Second - I know that iptables is very heavy and it's not recommended to >>>> use it in gigabit firewall but I don't have a choice as far as I know only >>>> ipset works with iptables. I don't know can pf store 500 IPs in one list. >>>> Ipset is written for that purpose. >>>> >>>> I can't find information is there linux or BSD distribution with effective >>>> firewall that uses optimized algorithm to store hundreds of IPs and to >>>> forward huge traffic. Any idea? >>>> >>> I've been using Linux (CentOS5) on gigabit firewalls, for thousands of >>> users. No problems. >> Yeah, but what is your ruleset? >> > > Hundreds of chains, thousands of rules.. > >>> Just make sure ip_conntrack_max is big enough, so you don't run out of >>> connections. >> Just three months ago I saw a CentOS L2TP cluster explode because of >> this -- and the machines have _plenty_ of RAM each. Turned off >> ip[6]tables entirely and let the Ciscos do this was the only solution. >> > > The default values are way too low. First step is to increase that > value. Was the first thing I tried; unfortunately, I didn't really see sense in giving iptables the vast majority of 32GiByte RAM... >>> There are other things to tune to optimize the performance, but it's >>> certainly doable with linux+iptables. >> Nail, hammer, etc. ;) >> > > -- Pasi Timo