[ previous ] [ next ] [ threads ]
 
 From:  "Ulrik Lunddahl \(PROconsult\)" <ul at proconsult dot dk>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  SV: [m0n0wall] 10.000 firewall rules.
 Date:  Thu, 11 Jan 2007 06:51:10 +0100
Chris Wrote:

> That has no relation to the number of firewall rules.  The max is 30K
states - networks
> vary too widely for me to even venture to guess how many states that's
using.

>With 10,000 firewall rules, loading the rules page is probably going to
take forever and
> a day. The worst I've ever tried was about 150 rules on a 4801 (266
MHz), and it took
> nearly a minute to fully load the rules page. Granted a 4801 isn't a
fast box by any
> means, but even on a fast box it could take a couple minutes to load
the rules page with
> 10K firewall rules.  I'm not sure if anybody has an install using
nearly that many rules.

> My first reaction to anyone that says they have 10K firewall rules is
that they're not
> optimizing their ruleset, so I would definitely look for ways to
shrink that list
> substantially (for reasons other than performance). It may not be the
case here, but I've
> yet to see even a large complex network that needed remotely close to
that many rules on
> a perimeter firewall.

The sertup here is 10K ATM mashines and for every transaction they send
UDP data to the TX server that is placed behind m0n0wall.

The TX server is doing it's own rejection based on the remote IP
address, before auth is done by some pretty safe key exchanging.

However, their security policy is somewhat harch and requeres that two
seperate systems do the rejection based on remote IP address, thats why
i'm looking at m0n0wall to replace a quite expensive cisco solution.

The update of the configuration is done once a day, and the
configuration file will probarly be generated by some database
extraction tool, so there is no need to configure all the rules or as
someone has said, IP aliases using the web UI.

I recon every incomming UDP session uses one state, but how about the
outgoing traffic to the ATM maskine, that is UPD as well, but will it
use a session state ?

How fast is the UDP states teared down again ?

Does anyone know if i can have an IP alias with 10K single address in it
?

And last, will performance be hit by 10K rules or aliases ?

- Ulrik