[ previous ] [ next ] [ threads ]
 
 From:  Guy Boisvert <boisvert dot guy at videotron dot ca>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 10.000 firewall rules.
 Date:  Wed, 10 Jan 2007 15:48:04 -0500
Chris Buechler wrote:
> On 1/10/07, Ulrik Lunddahl (PROconsult) <ul at proconsult dot dk> wrote:
>> Hello list!
>>
>> I have a customer who has a transaction server, the server recieves
>> small UDP packets and sends small UDP packets back to the requesting
>> device.
>>
>> He asks if he can use m0n0wall as a firewall, but im not sure.
>>
>> He has arround 10.000 firewall rules premitting UDP packets for the
>> customers public IP adresses, how will m0n0wall handle this on modern PC
>> hardware.
>>
>> Is the session table, or xlate or what is's call large enough to handle
>> this.
>>
>
> That has no relation to the number of firewall rules.  The max is 30K
> states - networks vary too widely for me to even venture to guess how
> many states that's using.
>
> With 10,000 firewall rules, loading the rules page is probably going
> to take forever and a day. The worst I've ever tried was about 150
> rules on a 4801 (266 MHz), and it took nearly a minute to fully load
> the rules page. Granted a 4801 isn't a fast box by any means, but even
> on a fast box it could take a couple minutes to load the rules page
> with 10K firewall rules.  I'm not sure if anybody has an install using
> nearly that many rules.
>
> My first reaction to anyone that says they have 10K firewall rules is
> that they're not optimizing their ruleset, so I would definitely look
> for ways to shrink that list substantially (for reasons other than
> performance). It may not be the case here, but I've yet to see even a
> large complex network that needed remotely close to that many rules on
> a perimeter firewall.
>
> -Chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>

I have several firewalls in production and never saw that much rules on 
a firewall.  I'd imagine that this is a typo!  If this is real, i'd be 
very curious to get a picture of the way the ended up having that much 
rules!  Is it because of a lack of knowledge or is it a really weird 
application?


Guy Boisvert
IngTegration inc.