network performance problems with SuSEfirewall2 and multiple interfaces
Hi everyone, I've a machine with 3 real and 15 virtual interfaces under SuSE 9.0 with SuSEfirewall2. Resulting from this I've also a lot of iptable-rules (iptables-save | wc -l gives me 1068 lines). After some weeks the machine slows down network-traffic, although everything else seems to run quite well (low CPU-load, low memory-usage), so I have to reboot it (restarting SuSEfirewall2 does not help). I wounder if anybody else has experienced something similar, if anything of that kind is known and if anybody has an idea, where the problem may lay. Greetings, Ralf
Ralf Ronneburger wrote:
Hi everyone,
I've a machine with 3 real and 15 virtual interfaces under SuSE 9.0 with SuSEfirewall2. Resulting from this I've also a lot of iptable-rules (iptables-save | wc -l gives me 1068 lines).
After some weeks the machine slows down network-traffic, although everything else seems to run quite well (low CPU-load, low memory-usage), so I have to reboot it (restarting SuSEfirewall2 does not help).
I wounder if anybody else has experienced something similar, if anything of that kind is known and if anybody has an idea, where the problem may lay.
Greetings,
Ralf
That's a lot. For help a simple routing table and some example ip's would be helpful to solve your problem. In this case it would be much easier to write your own firewallscript instead of using SuSEfirewall or let a different machine act as firewall and only set basic rules on that machine.. Philippe
Philippe Vogel wrote:
Ralf Ronneburger wrote:
Hi everyone,
I've a machine with 3 real and 15 virtual interfaces under SuSE 9.0 with SuSEfirewall2. Resulting from this I've also a lot of iptable-rules (iptables-save | wc -l gives me 1068 lines).
After some weeks the machine slows down network-traffic, although everything else seems to run quite well (low CPU-load, low memory-usage), so I have to reboot it (restarting SuSEfirewall2 does not help).
I wounder if anybody else has experienced something similar, if anything of that kind is known and if anybody has an idea, where the problem may lay.
Greetings,
Ralf
That's a lot. For help a simple routing table and some example ip's would be helpful to solve your problem. In this case it would be much easier to write your own firewallscript instead of using SuSEfirewall or let a different machine act as firewall and only set basic rules on that machine..
Philippe
Hi Philippe, the setup is like this: eth0, external interface, 15 public IPs eth1, internal interface, private IP, connected to machines with private IPs The SuSE box routes everything from internal machines to the internet with NAT, using SuSEfirewall2 for simplicity. Greetings, Ralf
* Ralf Ronneburger; <ralf@ronneburger.de> on 31 Jul, 2004 wrote:
Hi everyone,
I've a machine with 3 real and 15 virtual interfaces under SuSE 9.0 with SuSEfirewall2. Resulting from this I've also a lot of iptable-rules (iptables-save | wc -l gives me 1068 lines).
After some weeks the machine slows down network-traffic, although everything else seems to run quite well (low CPU-load, low memory-usage), so I have to reboot it (restarting SuSEfirewall2 does not help).
According to the FAQ of SuSEfirewall2 /usr/share/doc/packages/SuSEfirewall2/FAQ Q: How can I reduce the generated rule set as most as possible? A: 1. Only put in the network interfaces you really need. 2. Disable Logging 3 Set FW_PROTECT_FROM_INTERNAL to no 4. Disable the service autoprotecting feature 5. Set all FW_ALLOW_* and FW_SERVICE_* to no 6. Do not use routing or masquerading :-) 7. Only enable routing/services you really need and make the statements Then you will have got much less rules, but also a lesser security. Better spend 50$ on an old pentium processor + board and don't use an old 486 as firewall Since you have not told us if you have done the above steps, this is the best I can come with. Hope this helps -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
participants (3)
-
Philippe Vogel -
Ralf Ronneburger -
Togan Muftuoglu