[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 10.000 firewall rules.
 Date:  Wed, 10 Jan 2007 11:15:22 -0500
On 1/10/07, Ulrik Lunddahl (PROconsult) <ul at proconsult dot dk> wrote:
> Hello list!
> I have a customer who has a transaction server, the server recieves
> small UDP packets and sends small UDP packets back to the requesting
> device.
> He asks if he can use m0n0wall as a firewall, but im not sure.
> He has arround 10.000 firewall rules premitting UDP packets for the
> customers public IP adresses, how will m0n0wall handle this on modern PC
> hardware.
> Is the session table, or xlate or what is's call large enough to handle
> this.

That has no relation to the number of firewall rules.  The max is 30K
states - networks vary too widely for me to even venture to guess how
many states that's using.

With 10,000 firewall rules, loading the rules page is probably going
to take forever and a day. The worst I've ever tried was about 150
rules on a 4801 (266 MHz), and it took nearly a minute to fully load
the rules page. Granted a 4801 isn't a fast box by any means, but even
on a fast box it could take a couple minutes to load the rules page
with 10K firewall rules.  I'm not sure if anybody has an install using
nearly that many rules.

My first reaction to anyone that says they have 10K firewall rules is
that they're not optimizing their ruleset, so I would definitely look
for ways to shrink that list substantially (for reasons other than
performance). It may not be the case here, but I've yet to see even a
large complex network that needed remotely close to that many rules on
a perimeter firewall.