>On Fri, 15 Oct 2004 13:04:22 +0100 (BST), S Iremonger <exxsi@bath.ac.uk> wrote: >> >the external interface was >> >seeing about 600,000 pps at ~350Mbit/sec. The link is 1Gb, so it >> You may want some kind of simpler non-contracking machine infront, >> that has a simpler stateless firewall configuration on it... -- >> Maybe 'syncookies firewall' on that machine too.... >Possibly, yeah. I guess it depends on if it can keep up with the traffic. I suggest trying out following configuration:- --box infront of the ''firewall'' with:- Optimized kernel WITHOUT connection tracking on nice network devices/drivers... Make SURE the kernel is configured as "optimize as router not host". And -- instigate a **SIMPLE** ruleset (if any rules at all), e.g. just IP addresses and protocol types or something... Install the 'syncookies firewall' on this host, which will answer syn packets from outside with a 'cookie' and expect to see a valid answer to the cookie, and will then (and ONLY THEN) forward connection 'inbounds' to the network... Then have your 'real firewall' with connection tracking, and more complicated ruleset inside that.... I'd like to hear anybody's opinions on the above. Maybe what I said is counterproductive, maybe it isn't.... I want to hear, in any case. What I *am* preety sure about, is 'connection tracking' (needed for proper NAT as opposed to static 1-1 NAT) DOES slow down your packet passing rate CONSIDERABLY. >Right. It's an Intel 7502 board, dual on board Gig, and a a couple of >Gig cards in the PCI-X slots. All are the newer kind with interrupt >coalescing, but that doesn't matter much with 2.6 and NAPI. One I'm sorry, I dont know that board... >It was a Syn flood, so the easy answer here is to let it through and >let the target hosts deal with it directly. Well, MAYBE, but then MAYBE the SYN flood will just tie up all the conntrack tables ? >I'm not seeking an easy answer, but am wondering what kind of pps >limit people think is reasonable to expect. >Should 1.5M pps be possible, has someone done it? I don't know. sorry..... Good luck, let me know what happens... --S Iremonger <exxsi@bath.ac.uk> - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
