[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 10.000 firewall rules.
 Date:  Thu, 11 Jan 2007 01:34:21 -0500
On 1/11/07, Ulrik Lunddahl (PROconsult) <ul at proconsult dot dk> wrote:
> The sertup here is 10K ATM mashines and for every transaction they send
> UDP data to the TX server that is placed behind m0n0wall.

yikes...  so yeah, you probably do need 10K firewall rules.

> I recon every incomming UDP session uses one state, but how about the
> outgoing traffic to the ATM maskine, that is UPD as well, but will it
> use a session state ?

You 100% sure it's using UDP? The common ATM's here in the US at least
use TCP, and it's a much more sensible protocol to use for something
of this nature, which is why I question it.

> How fast is the UDP states teared down again ?

That's a good question...  TCP connections are removed from the state
table when the connection is complete. With UDP, since it's
connection-less, you don't have a definitive end of a connection. I
don't know how ipfilter handles that, but I would guess the
connections may sit around in the state table until they expire
(default of 2 hours, IIRC).

As for the outbound traffic, that depends - if it's just replying to
incoming traffic it doesn't create any additional state table entries.
ATM networks here in the US poll ATM's every 30 seconds via a TCP
connection.  If you have outbound polling like this, that'll take up
additional state entries.

UDP connections are undoubtedly going to hang around in the state
table for longer than the majority of TCP connections will.

> Does anyone know if i can have an IP alias with 10K single address in it
> ?

You can't do aliases like that with m0n0wall at all at this point,

> And last, will performance be hit by 10K rules or aliases ?

Searching for this info for ipfilter should give you some experiences
of people using that many rules. I've never heard of anybody here
using even close to that many rules.

You may be better suited with pfsense for this particular application
- the state table size can be increased in the GUI, and you can use an
alias for all the ATM's.