[ previous ] [ next ] [ threads ]
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 10.000 firewall rules.
 Date:  Wed, 10 Jan 2007 20:54:48 +0000

In message <45A55104 dot 7030001 at videotron dot ca>, Guy Boisvert
<boisvert dot guy at videotron dot ca> writes
>Chris Buechler wrote:
>> On 1/10/07, Ulrik Lunddahl (PROconsult) <ul at proconsult dot dk> wrote:
>>> Hello list!
>>> I have a customer who has a transaction server, the server recieves
>>> small UDP packets and sends small UDP packets back to the requesting
>>> device.
>>> He asks if he can use m0n0wall as a firewall, but im not sure.
>>> He has arround 10.000 firewall rules premitting UDP packets for the
>>> customers public IP adresses, how will m0n0wall handle this on modern PC
>>> hardware.
>>> Is the session table, or xlate or what is's call large enough to handle
>>> this.
>> That has no relation to the number of firewall rules.  The max is 30K
>> states - networks vary too widely for me to even venture to guess how
>> many states that's using.
>> With 10,000 firewall rules, loading the rules page is probably going
>> to take forever and a day. The worst I've ever tried was about 150
>> rules on a 4801 (266 MHz), and it took nearly a minute to fully load
>> the rules page. Granted a 4801 isn't a fast box by any means, but even
>> on a fast box it could take a couple minutes to load the rules page
>> with 10K firewall rules.  I'm not sure if anybody has an install using
>> nearly that many rules.
>> My first reaction to anyone that says they have 10K firewall rules is
>> that they're not optimizing their ruleset, so I would definitely look
>> for ways to shrink that list substantially (for reasons other than
>> performance). It may not be the case here, but I've yet to see even a
>> large complex network that needed remotely close to that many rules on
>> a perimeter firewall.
>I have several firewalls in production and never saw that much rules on
>a firewall.  I'd imagine that this is a typo!  If this is real, i'd be
>very curious to get a picture of the way the ended up having that much
>rules!  Is it because of a lack of knowledge or is it a really weird

I can't imagine trying to find a specific rule, let alone manage that
many rules!

I can only imagine that he has 10,000 customers and has added a rule for
each one with their IP address.  That could potentially be solved by a
single rule and one alias that points to multiple IP addresses.  Anyone
know if that's possible with the FreeBSD 6.x based m0n0?

But then you have the problem of managing an alias with 10,000 IP


Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk