On Fri, Dec 18, 2009 at 09:36:57PM +0200, sadas sadas wrote: > I will explain more deeply. I need to deploy a firewall(s) in front of web > server farm because I need to do billing - I will use CentOS with iptables > + ipset to store a list if my clients so when client doesn't pay his > server's IP is out of the list and he can't access the web server. > > Second - I know that iptables is very heavy and it's not recommended to > use it in gigabit firewall but I don't have a choice as far as I know only > ipset works with iptables. I don't know can pf store 500 IPs in one list. > Ipset is written for that purpose. > > I can't find information is there linux or BSD distribution with effective > firewall that uses optimized algorithm to store hundreds of IPs and to > forward huge traffic. Any idea? > I've been using Linux (CentOS5) on gigabit firewalls, for thousands of users. No problems. Just make sure ip_conntrack_max is big enough, so you don't run out of connections. There are other things to tune to optimize the performance, but it's certainly doable with linux+iptables. -- Pasi > regards > > <peter.serwe@xxxxxxxxx><centos@xxxxxxxxxx>I'll second damn near everything > nate said, and hopefully add a tidbit or two. > > If you're new to BSD, you may want to consider the pfsense project in the > aforementioned active-active configuration. > > It gives you a nice, intuitive gui to manage your failover firewalls, if > you insist on putting a firewall in front of your web servers. > > Better to secure the box, leave only the ports you need open on the public > interfaces, and don't firewall them. > > Also, I'd strongly consider running your firewalls with no disk at all. A > Live CD, CF card or USB Flash to boot off of, remote syslog and > one less subsystem (disks) to buy/fail makes for some mighty cheap 1U > servers. A single dual-core with core speeds above 3.0Ghz > and 4GB of RAM is to pass Gb @ line rate - ethernet overhead. Truth be > told, it's already being done on much less > than that. You can also load balance your traffic, albiet somewhat > primitively with it. If you really want massive throughput, consider > toying > around with extremely expensive 10G gear, size RAM appropriately, and see > how PF performs under multi-processor, high-core speed. > but if you're handling over a Gb of traffic and you can't split the > application into multiple farms, that's the best move. > > Akamai, for instance, runs 10G to each rack, each rack has around 20-24 > servers, and they run GB to the server. > > [1]pfsense.org has extensive information about hardware requirements, > features, and what you're looking to do. > > [2]https://calomel.org/network_performance.html is an excellent BSD > firewall performance site. > > One thing to note, you are claiming to want to deploy this as a passive > bridge. You cannot do what you want to do > running anything in bridge mode. The packets need to route somehow. Get > a /29 from your colo provider and ask > to have your existing block routed through it once you've tested it. > > Another option for a seamless failover, is to alias a different range of > IP's to the server interfaces, put a /29 and whatever > netblock you want to end up being your public IP block on the PFSense > hardware. When you're convinced everything's > working through rigorous testing, put a test domain up pointing to that > block, modify virtualhost entries on the servers to > respond to that domain with your production web site, and test some more. > Once you're convinced that's working perfectly, > make the changes in DNS to point your production domain at the IP's you > want, and failover will happen with DNS convergence. > > Peter > > On Fri, Dec 18, 2009 at 9:06 AM, nate <[3]centos@xxxxxxxxxxxxxxxx> wrote: > > sadas sadas wrote: > > > > Hi, > > I want to configure CentOS on powerful server with gigabit > > adapters as transparent bridge and deploy it in front of server farm. > > Can you tell how to optimize the OS for hight packet processing? What > > configurations I need to do to achieve very hight speeds and thousands > of > > packets? > > iptables makes a TERRIBLE firewall, use pf instead > > [4]http://www.openbsd.org/faq/pf/index.html > > Also consider how your going to provide redundancy, if you have a web > server farm you want to protect them with at least two firewalls, not > one. > > [5]http://www.openbsd.org/faq/pf/carp.html > > I haven't used CARP myself but did setup a pair of pf firewalls about > 5 years ago in a large network in bridging mode, the layer 3 fault > tolerance was provided by OSPF on the core switches, the firewalls > were active-active(with pfsync) since they were layer 2 only. > > Maybe someday linux will fix the overly complex iptables system to > something that is more manageable, not holding my breath though. > > If you want really high speed(say multi GbE) though you'll want/need > to go with an appliance based solution. > > Also since your referring to a web server farm, it is perfectly > acceptable to not use firewalls these days, if you have a good > load balancer that serves the same role as a firewall in that it > only passes traffic that you specifically configure it to pass. Also > in high traffic environments the performance of load balancers > destroys most firewalls, making investing in a high end firewall > a very expensive proposition. > > I've worked for the better part of the last 10 years with > companies who did not have firewalls in front of their web servers > for this reason, it didn't make sense $ wise, because the benefit > wasn't there, and the added complexity, and performance implications > wasn't worth it either. Talk to most load balancing companies and > they'll tell you this themselves. > nate > > </centos@xxxxxxxxxx></peter.serwe@xxxxxxxxx> > > References > > Visible links > 1. http://pfsense.org/ > 2. https://calomel.org/network_performance.html > 3. mailto:centos@xxxxxxxxxxxxxxxx > 4. http://www.openbsd.org/faq/pf/index.html > 5. http://www.openbsd.org/faq/pf/carp.html > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos