[ previous ] [ next ] [ threads ]
 From:  Roland Giesler <roland at thegreentree dot za dot net>
 To:  gil at vidals dot net
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] adding large number of country IPs to monowall
 Date:  Sat, 25 Apr 2009 19:59:35 +0200
2009/4/20 Gil Vidals <gvidals at gmail dot com>
> I'm brand new to m0n0wall. I've been reading the documentation and forums to
> learn about m0n0wall. My commercial firewall (Sonicwall) only allows me to
> add 100 rules; however, I need to add about 2,000 CIDR ranges
> I plan on creating the XML entries using a perl script to generate the 2,000
> rules. Then I would copy and paste the rules into m0n0wall's config.xml
> file.
> 1) Is this a reasonable approach?

Yes, it is.  I have done this with 10000 rules to test a concept.  (I
pressume by rules you mean static routes?  Or are you refering to
filtering rules?)

> 2) How can I estimate the amount of RAM required to hold 2,000 rules?

You'll have try it and see.  However, a simple little Linksys WRT45GL
wifi router with OpenWRT can handle over 1000 rules (tested!), so I
see now reason why a reasonably powered PC as firewall cannot handle
this.  The Linksys only 16MB of RAM!

> 3) Has anyone done this.

Yes we have.

However, there is a major problem:  The web server cannot handle
this!!  So if you ever attempt to read the rules via the web GUI,
which would be a major reason for choosing m0n0wall rather than simply
using IP or routing tables (or something else), you'd have a machine
that stops responding.  This can of course be fixed by only showing 50
or maybe 100 at a time in the GUI and having a next and back button,
so it's not that anything is wrong with the web server, it's just that
web servers don't like listing 1000's of rows - its really hard work
for a browser as well... :-)

The other question you have to ask yourself is: How many connections
are you going to have to your firewall at any moment in time?
Remember that each connection has to "scan" the rules to see where the
packets should go, et al, (in a manner of speaking), so if you have
thousands of connections to your firewall, you will need pretty
powerful hardware to keep going and not come to a grinding halt.

M0n0wallers, correct me if I'm wrong on this though, since I was never
able to test the performance of the 10000 routes under any significant
load.  I 'm also not using this method anymore.

Roland Giesler
Green Tree Systems cc, Stellenbosch, South Africa
Mobile: 072-450-2817   http://www.thegreentree.za.net

Please note: We do not accept email disclaimers.  All mail sent to
thegreentree.za.net becomes our property and the contents will be
dealt with in any manner we see fit.  If you disagree with this,
please do not send us email.