Togan Muftuoglu
* Mark Gray;
on 13 May, 2003 wrote: Write your own firewall script (if you take a look at the ouput of "iptables -L" while running SuSEfirewall you will get a good idea why it is running slow -- the iptables it sets up for even the simplest system is rather baroque :-)
out curiosity what makes you think it is baroque
It seems to me if you only use it to allow certain services, ACCEPT rules for those services with a default DROP policy should be sufficient, but SuSEfirewall will generate so many extraneous rules and user-defined chains that the top will scroll off the screen if you try to list it at the console. The only reason I can see for this is to allow it to continue to be written as a bash shell script and configured using only simple questions. Given that extraordinary effort went into making the Linux IP stack as efficient as possible -- zero copy, cache line alignment etc., it seems a waste for a packet to have to go through all those rules when an ACCEPT as early as possible in the chain is all that is necessary. (I am not really calling SuSE on the carpet for this -- I long ago decided it was too inflexible and far too complex for my simple needs and wrote my own script and kept my mouth shut until today. (You can blame excessive coffee (even for me) for my sudden outburst:-) Take a look at the output of 'iptables -L -v' for yourself it you are using SuSEfirewall, and compare it with the functionality you wanted when you answered all those questions, and trace a packet through that chain of rules to get an idea of what might be slowing down the original posters server.)
On 13 May 2003 12:20:58 -0400
Mark Gray
Togan Muftuoglu
writes: * Mark Gray;
on 13 May, 2003 wrote: Write your own firewall script (if you take a look at the ouput of "iptables -L" while running SuSEfirewall you will get a good idea why it is running slow -- the iptables it sets up for even the simplest system is rather baroque :-)
out curiosity what makes you think it is baroque
(I am not really calling SuSE on the carpet for this -- I long ago decided it was too inflexible and far too complex for my simple needs and wrote my own script and kept my mouth shut until today. (You can blame excessive coffee (even for me) for my sudden outburst:-) Take a look at the output of 'iptables -L -v' for yourself it you are using SuSEfirewall, and compare it with the functionality you wanted when you answered all those questions, and trace a packet through that chain of rules to get an idea of what might be slowing down the original posters server.)
heh,heh.... well since you admitted it...., I will confess too. I'm using the firewall2 script which came from 7.3 for my 8.1 setup. It just worked better. :-) -- use Perl; #powerful programmable prestidigitation
* Mark Gray;
Togan Muftuoglu
writes: It seems to me if you only use it to allow certain services, ACCEPT rules for those services with a default DROP policy should be sufficient, but SuSEfirewall will generate so many extraneous rules and user-defined chains that the top will scroll off the screen if you try to list it at the console. The only reason I can see for this is
Not necessarily depends how you configure it "to err is human"
to allow it to continue to be written as a bash shell script and configured using only simple questions. Given that extraordinary effort went into making the Linux IP stack as efficient as possible -- zero copy, cache line alignment etc., it seems a waste for a packet to have to go through all those rules when an ACCEPT as early as possible in the chain is all that is necessary.
SuSEfirewall2 that comes with 8.1 and 8.2 is actually faster then previous versions due to the created chains Well you can reduce the generated rules by: 1. Only put in the network interfaces you really need. 2. Disable Logging 3 Set FW_PROTECT_FROM_INTERNAL to no 4. Disable the service autoprotecting feature 5. Set all FW_ALLOW_* and FW_SERVICE_* to no 6. Do not use routing or masquerading :-) 7. Only enable routing/services you really need and make the statements as general as possible to reduce the number of definitions.
SuSEfirewall, and compare it with the functionality you wanted when you answered all those questions, and trace a packet through that chain of rules to get an idea of what might be slowing down the original posters server.)
Well we do not know the hardware details of the OP as he mentioned he converted from RH 5.0 to SuSE 8.1 could be an old 486 which I would say lacks necessary power for the goodies you ention in the kernel :-) -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
On Tuesday 13 May 2003 20:19, Togan Muftuoglu wrote:
* Mark Gray;
on 13 May, 2003 wrote: Togan Muftuoglu
writes: Well we do not know the hardware details of the OP as he mentioned he converted from RH 5.0 to SuSE 8.1 could be an old 486 which I would say lacks necessary power for the goodies you ention in the kernel :-)
The server is a Pendium III 1000MHz with 512 MB RAM and 1 SCSI 16GB HDD :)
* Stelios Asmargianakis;
The server is a Pendium III 1000MHz with 512 MB RAM and 1 SCSI 16GB HDD :)
Himm on this case could you please send the configuration file and no CC'in is necessary as I am on the list untill ckm kicks me out :-) -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
On Tuesday 13 May 2003 21:38, Togan Muftuoglu wrote:
* Stelios Asmargianakis;
on 13 May, 2003 wrote: The server is a Pendium III 1000MHz with 512 MB RAM and 1 SCSI 16GB HDD :)
Himm on this case could you please send the configuration file and no CC'in is necessary as I am on the list untill ckm kicks me out :-)
First of all thanks for your answer. ok here is the SuSEfirewall2 script (i put off the comments). FW_QUICKMODE="no" FW_DEV_EXT="eth0 eth0:1" FW_DEV_INT="" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="10000 169 22 25 3128 3306 42 443 53 80 http https ssh" FW_SERVICES_EXT_UDP="53 80 10000 22 3128 3306 42 443 25 169" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="DNS" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="no" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_REJECT="no" Regards
* Stelios Asmargianakis;
ok here is the SuSEfirewall2 script (i put off the comments). FW_MASQ_NETS="0/0"
place your actual masq net here ie 192.168.1.0/24 it is better then the whole internet
FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="10000 169 22 25 3128 3306 42 443 53 80 http https ssh"
no need for "ssh http https" as you have already defined them "22 80 443" also why do you need 42 and 169. Hope your Mysql is secured along with webmin
FW_SERVICES_EXT_UDP="53 80 10000 22 3128 3306 42 443 25 169"
22 25 80 3128 are not used in UDP. why do you think you need 42 and 169. I also do no think webmin needs 10000 UDP unless you have something else runing on 10000
FW_ALLOW_INCOMING_HIGHPORTS_TCP="DNS" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
See if it makes better -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
I made all this changes but the problem still remains.... On Tuesday 13 May 2003 22:48, Togan Muftuoglu wrote:
* Stelios Asmargianakis;
on 13 May, 2003 wrote: ok here is the SuSEfirewall2 script (i put off the comments). FW_MASQ_NETS="0/0"
place your actual masq net here ie 192.168.1.0/24 it is better then the whole internet
FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="10000 169 22 25 3128 3306 42 443 53 80 http https ssh"
no need for "ssh http https" as you have already defined them "22 80 443" also why do you need 42 and 169. Hope your Mysql is secured along with webmin
FW_SERVICES_EXT_UDP="53 80 10000 22 3128 3306 42 443 25 169"
22 25 80 3128 are not used in UDP. why do you think you need 42 and 169. I also do no think webmin needs 10000 UDP unless you have something else runing on 10000
FW_ALLOW_INCOMING_HIGHPORTS_TCP="DNS" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
See if it makes better
On Tue, 2003-05-13 at 15:38, Stelios Asmargianakis wrote:
I made all this changes but the problem still remains....
Perhaps it would be easier to help with the problem if you told us what - exactly - is so much slower than before? Is it the traffic going _through_ the box? Is it terminal sessions (or, heaven forbid on this ancient thing, X sessions) _on_ the box? Is it _connections_ to services hosted on the box? I'm sorry if you've mentioned it before, but I just reviewed the thread and I don't see it. Regards, dk
Only http connections are very slower than before. Other servises running very well. The server is running apache 1.3.26 On Wednesday 14 May 2003 00:19, David Krider wrote:
On Tue, 2003-05-13 at 15:38, Stelios Asmargianakis wrote:
I made all this changes but the problem still remains....
Perhaps it would be easier to help with the problem if you told us what - exactly - is so much slower than before? Is it the traffic going _through_ the box? Is it terminal sessions (or, heaven forbid on this ancient thing, X sessions) _on_ the box? Is it _connections_ to services hosted on the box? I'm sorry if you've mentioned it before, but I just reviewed the thread and I don't see it.
Regards, dk
Thanks
I'm using a SuseFirewall2 script from 8.1. Got about 30machines running behind it w/no slowdown. Although my pc is a 200mhz w/64mb ram, not a 486. -Trey
SuSEfirewall2 that comes with 8.1 and 8.2 is actually faster then previous versions due to the created chains
Well you can reduce the generated rules by:
1. Only put in the network interfaces you really need. 2. Disable Logging 3 Set FW_PROTECT_FROM_INTERNAL to no 4. Disable the service autoprotecting feature 5. Set all FW_ALLOW_* and FW_SERVICE_* to no 6. Do not use routing or masquerading :-) 7. Only enable routing/services you really need and make the statements as general as possible to reduce the number of definitions.
SuSEfirewall, and compare it with the functionality you wanted when you answered all those questions, and trace a packet through that chain of rules to get an idea of what might be slowing down the original posters server.)
Well we do not know the hardware details of the OP as he mentioned he converted from RH 5.0 to SuSE 8.1 could be an old 486 which I would say lacks necessary power for the goodies you ention in the kernel :-)
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
participants (6)
-
David Krider
-
Mark Gray
-
Stelios Asmargianakis
-
Togan Muftuoglu
-
Trey
-
zentara