FW: [suse-security] optimal kernel config for firewall gateway ?
-----Original Message----- From: Thomas Schmidt Sent: Monday, January 14, 2002 11:16 AM To: 'Torsten Mueller' Subject: RE: [suse-security] optimal kernel config for firewall gateway ? It´s true, that you can use a 486 for Firewall, but a prefer to a P-II or AMD K6-2 as minium requieremnt for 1 Mbit. The problem ist not the traffic, but the syslog. We have serveral costumers, who are connected with 2 mbit. If someone portscan your system or tries an dos-attack, increased your system load dramaticly and the traffic stops :(
-----Original Message----- From: Torsten Mueller [mailto:torsten@archesoft.de] Sent: Friday, January 11, 2002 10:40 AM To: Bernhard Held Cc: SuSE-Security List Subject: Re: [suse-security] optimal kernel config for firewall gateway ?
Hey,
Bernhard Held schrieb:
Well, if you compile a kernel with ip-forwarding turned on
but filtering
disabled, one would expect that the router is faster because the code is just missing in the kernel. On a reasonably fast machine I'd say that these effects should be neglectable. But what do think is a reasonable machine? What will I need for a simple firewall with Internet (1 MBit), DMZ (Mailserver) and a local network in terms of MHz and MByte?
for me works a 486-with i think 33 MHZ and 12 MB RAM. It connects my wireless lan to the internet (adsl - german telekom)
Greetings Torsten
Thanks, Bernhard
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
It´s true, that you can use a 486 for Firewall, but a prefer to a P-II or AMD K6-2 as minium requieremnt for 1 Mbit. The problem ist not the traffic, but the syslog. We have serveral costumers, who are connected with 2 mbit. If someone portscan your system or tries an dos-attack, increased your system load dramaticly and the traffic stops :(
Nah... The syslog.conf manpage states that if a logfile is preceded with a "-" (like in *.* -/var/log/allmessages ), then the syslogd will not call fsync() after a write() to this file. By consequence, the load will remain small. Generally, it's a good idea to fsync() all logfiles especially if something really urgent has been logged (like a failing disk). Typically, such logs are from the kernel, which leads to believe that all kernel logs should be synced at once. Unfortunately, firewall messages are kernel logs as well, and then you have to change the perspective. If your syslogd takes to much time to sync the data to disk, the kernel messages ringbuffer (/proc/kmsg) might overflow and some messages might geht lost. Roman.
Another solution is not to log portscans and other types of high volume log traffic. Ask yourself this, do you actually read those log files or otherise do something with them? If the answer is not an immediate "YES!" then you may not need to enable some forms of logging. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
On Wednesday 16 January 2002 14:38, you wrote:
It´s true, that you can use a 486 for Firewall, but a prefer to a P-II or AMD K6-2 as minium requieremnt for 1 Mbit. The problem ist not the traffic, but the syslog. We have serveral costumers, who are connected with 2 mbit. If someone portscan your system or tries an dos-attack, increased your system load dramaticly and the traffic stops :(
The syslog.conf manpage states that if a logfile is preceded with a "-" (like in
*.* -/var/log/allmessages
), then the syslogd will not call fsync() after a write() to this file. By consequence, the load will remain small.
Generally, it's a good idea to fsync() all logfiles especially if something really urgent has been logged (like a failing disk). Typically, such logs are from the kernel, which leads to believe that all kernel logs should be synced at once. Unfortunately, firewall messages are kernel logs as well, and then you have to change the perspective. If your syslogd takes to much time to sync the data to disk, the kernel messages ringbuffer (/proc/kmsg) might overflow and some messages might geht lost.
Doesn't -m limit with --limit and --limit-burst help matters considerably? Would it be a nice feature if klogd was extended, so that messages lower than console logging level, could be matched against RE patterns, like '^IN=.* OUT=.* MAC=' and '^APIC error on CPU', could be diverted to one of the local syslog facilites? Pattern matching is fairly efficient with modern CPUs, and under SuSE /var/log/messages and /var/log/firewall tends to collect far too much duplicated rubbish and irrelevant messages. The lack of an fscync(), explains issues with corruption in log files, I thought that was due to ReiserFS not flushing data. It would be nice to have really important kernel messages logged and saved immediately to help in post morterms. Rob
* Thomas Schmidt wrote on Mon, Jan 14, 2002 at 12:00 +0100:
It´s true, that you can use a 486 for Firewall, but a prefer to a P-II or AMD K6-2 as minium requieremnt for 1 Mbit. The problem ist not the traffic, but the syslog.
I would say: the problem is not the traffic, but the number of rules. If you have i.e. 700 rules, which is not really much, a P100 at least caused large delays and may not be able to handle nice bandwidths. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (5)
-
Kurt Seifried -
Robert Davies -
Roman Drahtmueller -
Steffen Dettmer -
Thomas Schmidt