Firewall Speed Question

Mon, 25 Feb 2002 11:43:44 -0800 

Hi,

        I've got a compaq box setup with 3 3Com nics (10/100 - 3C905[ABC]) using 
3Com's network driver for the B & C cards.  I'm running linux 2.4.17 and 
iptables 1.2.4.   The firewall rules are based off of PCXFirewall 2.11 
and PCXFirewall Rules 1.4 (http://pcxfirewall.sf.net). The box has 128 
MB memory, 4 9GB SCSI drives doing softwared raid 5, and over 2 GB of 
swap space.

        The problem I'm having is my client is trying to do SMB file transfers 
from an internal machine to a Windows 2K box in the DMZ.  When 
downloading from the DMZ server to their Windows 2K workstation, the 
transfer takes about 2 - 2.5 minutes (which is what it takes if you have 
the 2 machines in the same network without going through the firewall). 
  But pushing files from his workstation to the DMZ server takes 5 - 8 
minutes.  Inititally it was taking over 20 minutes, but I stopped using 
the onboard ThunderLan nic and switched to a 3Com and also re-ordered 
the SMB rules to be right after my DNS rules.

        Does anyone have any ideas as to how to make the upload go quicker?  I've 
played with changing the txqueuelen value but that has always made it go 
slower.  I'm not seeing collisions, etc. and he has switched to using a 
3Com card in the DMZ server from the onboard ThunderLan nic.  This 
actually made the upload time be longer.  :(

        The client is threatening to move to CISCO because the outside programmer 
that the DMZ server is for, thinks that CISCO is more secure, etc. than 
Linux, and also because he doesn't like Linux.  The sysadmin I'm working 
with wants to keep linux because of the cost difference and he hasn't 
seen any major issues, other than this speed problem.

        The only thing I can see to improve in my firewall rules is to not mark 
every incoming packet, which is the mechanism I'm using to know which 
interface a packet came in when I'm working with the POSTROUTING chain. 
  I'm working on making a version that does everything by user chains 
(more so than I currently am), but it won't be ready for several days. 
The client wants a solution by Thursday.

        I've also tried just doing routing from the internal network to the dmz, 
no firewalling, and it is slower by several seconds, so not doing 
firewalling isn't the solution.  (This firewall is behind another 
firewall which is acting as the choke point for their network.)

        Any suggestions, pointers, etc. would be very much appreciated.

        Thanks,

-- 
James A. Pattie
[EMAIL PROTECTED]

Linux  --  SysAdmin / Programmer
PC & Web Xperience, Inc.
http://www.pcxperience.com/

Reply via email to