Re: [CentOS] Optimizing CentOS for gigabit firewall
On Fri, Dec 18, 2009 at 09:36:57PM +0200, sadas sadas wrote: I will explain more deeply. I need to deploy a firewall(s) in front of web server farm because I need to do billing - I will use CentOS with iptables + ipset to store a list if my clients so when client doesn't pay his server's IP is out of the list and he can't access the web server. Second - I know that iptables is very heavy and it's not recommended to use it in gigabit firewall but I don't have a choice as far as I know only ipset works with iptables. I don't know can pf store 500 IPs in one list. Ipset is written for that purpose. I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea? I've been using Linux (CentOS5) on gigabit firewalls, for thousands of users. No problems. Just make sure ip_conntrack_max is big enough, so you don't run out of connections. There are other things to tune to optimize the performance, but it's certainly doable with linux+iptables. -- Pasi regards peter.se...@gmail.comcentos@centos.orgI'll second damn near everything nate said, and hopefully add a tidbit or two. If you're new to BSD, you may want to consider the pfsense project in the aforementioned active-active configuration. It gives you a nice, intuitive gui to manage your failover firewalls, if you insist on putting a firewall in front of your web servers. Better to secure the box, leave only the ports you need open on the public interfaces, and don't firewall them. Also, I'd strongly consider running your firewalls with no disk at all. A Live CD, CF card or USB Flash to boot off of, remote syslog and one less subsystem (disks) to buy/fail makes for some mighty cheap 1U servers. A single dual-core with core speeds above 3.0Ghz and 4GB of RAM is to pass Gb @ line rate - ethernet overhead. Truth be told, it's already being done on much less than that. You can also load balance your traffic, albiet somewhat primitively with it. If you really want massive throughput, consider toying around with extremely expensive 10G gear, size RAM appropriately, and see how PF performs under multi-processor, high-core speed. but if you're handling over a Gb of traffic and you can't split the application into multiple farms, that's the best move. Akamai, for instance, runs 10G to each rack, each rack has around 20-24 servers, and they run GB to the server. [1]pfsense.org has extensive information about hardware requirements, features, and what you're looking to do. [2]https://calomel.org/network_performance.html is an excellent BSD firewall performance site. One thing to note, you are claiming to want to deploy this as a passive bridge. You cannot do what you want to do running anything in bridge mode. The packets need to route somehow. Get a /29 from your colo provider and ask to have your existing block routed through it once you've tested it. Another option for a seamless failover, is to alias a different range of IP's to the server interfaces, put a /29 and whatever netblock you want to end up being your public IP block on the PFSense hardware. When you're convinced everything's working through rigorous testing, put a test domain up pointing to that block, modify virtualhost entries on the servers to respond to that domain with your production web site, and test some more. Once you're convinced that's working perfectly, make the changes in DNS to point your production domain at the IP's you want, and failover will happen with DNS convergence. Peter On Fri, Dec 18, 2009 at 9:06 AM, nate [3]cen...@linuxpowered.net wrote: sadas sadas wrote: Hi, I want to configure CentOS on powerful server with gigabit adapters as transparent bridge and deploy it in front of server farm. Can you tell how to optimize the OS for hight packet processing? What configurations I need to do to achieve very hight speeds and thousands of packets? iptables makes a TERRIBLE firewall, use pf instead [4]http://www.openbsd.org/faq/pf/index.html Also consider how your going to provide redundancy, if you have a web server farm you want to protect them with at least two firewalls, not one. [5]http://www.openbsd.org/faq/pf/carp.html I haven't used CARP myself but did setup a pair of pf firewalls about 5 years ago in a large network in bridging mode, the layer 3 fault tolerance was provided by OSPF on the core switches, the firewalls were active-active(with pfsync) since they were layer 2 only. Maybe someday linux will fix the overly complex iptables system to something that is
Re: [CentOS] Optimizing CentOS for gigabit firewall
On Sun, Dec 20, 2009 at 09:58:19AM -0800, nate wrote: RedShift wrote: Have you got some figures to back that up? Everybody's saying OpenBSD's pf performance is superior, yet nobody has posted some proof. Not sure myself, keep in mind that there are (at least) two different ways to measure firewall performance - connections/second and throughput. There was a url someone posted a few days ago going in depth into tuning of OpenBSD for max performance and mentioned 930Mbit of throughput on a single gigE link. Some months ago there was discussions about 10 gbit performance with Linux. Some guys were pushing over 70 Gbit/sec through a single linux box. Not sure if firewalling was enabled.. most probably not. -- Pasi ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
thus Pasi Kärkkäinen spake: On Fri, Dec 18, 2009 at 09:36:57PM +0200, sadas sadas wrote: I will explain more deeply. I need to deploy a firewall(s) in front of web server farm because I need to do billing - I will use CentOS with iptables + ipset to store a list if my clients so when client doesn't pay his server's IP is out of the list and he can't access the web server. Second - I know that iptables is very heavy and it's not recommended to use it in gigabit firewall but I don't have a choice as far as I know only ipset works with iptables. I don't know can pf store 500 IPs in one list. Ipset is written for that purpose. I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea? I've been using Linux (CentOS5) on gigabit firewalls, for thousands of users. No problems. Yeah, but what is your ruleset? Just make sure ip_conntrack_max is big enough, so you don't run out of connections. Just three months ago I saw a CentOS L2TP cluster explode because of this -- and the machines have _plenty_ of RAM each. Turned off ip[6]tables entirely and let the Ciscos do this was the only solution. There are other things to tune to optimize the performance, but it's certainly doable with linux+iptables. Nail, hammer, etc. ;) -- Pasi Timo ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
Pasi Kärkkäinen wrote: Some months ago there was discussions about 10 gbit performance with Linux. Some guys were pushing over 70 Gbit/sec through a single linux box. Not sure if firewalling was enabled.. most probably not. what I see consistently with iptables is people writing far too many rules and trying to micromanage traffic when the kernel already knows what its doing. try to keep it super simple. ***BSD's pf rules are just much simpler, it takes far fewer of them to do what you need to do. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
On Mon, Dec 21, 2009 at 10:17:48AM +0100, Timo Schoeler wrote: thus Pasi Kärkkäinen spake: On Fri, Dec 18, 2009 at 09:36:57PM +0200, sadas sadas wrote: I will explain more deeply. I need to deploy a firewall(s) in front of web server farm because I need to do billing - I will use CentOS with iptables + ipset to store a list if my clients so when client doesn't pay his server's IP is out of the list and he can't access the web server. Second - I know that iptables is very heavy and it's not recommended to use it in gigabit firewall but I don't have a choice as far as I know only ipset works with iptables. I don't know can pf store 500 IPs in one list. Ipset is written for that purpose. I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea? I've been using Linux (CentOS5) on gigabit firewalls, for thousands of users. No problems. Yeah, but what is your ruleset? Hundreds of chains, thousands of rules.. Just make sure ip_conntrack_max is big enough, so you don't run out of connections. Just three months ago I saw a CentOS L2TP cluster explode because of this -- and the machines have _plenty_ of RAM each. Turned off ip[6]tables entirely and let the Ciscos do this was the only solution. The default values are way too low. First step is to increase that value. There are other things to tune to optimize the performance, but it's certainly doable with linux+iptables. Nail, hammer, etc. ;) -- Pasi ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
Some months ago there was discussions about 10 gbit performance with Linux. Some guys were pushing over 70 Gbit/sec through a single linux box. 70 Gbit/sec ? Maybe with port aggravation it's possible. Can you give some more info about that guys. To achieve that hight throughput maybe it's necessary to cut most of the OS and the kernel, leaving only the necessary. I'm very interested to read more information about the experiment. regards p.s here you can see 10 Gbit/s experiment http://haproxy.1wt.eu/10g.html ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
thus Pasi Kärkkäinen spake: On Mon, Dec 21, 2009 at 10:17:48AM +0100, Timo Schoeler wrote: thus Pasi Kärkkäinen spake: On Fri, Dec 18, 2009 at 09:36:57PM +0200, sadas sadas wrote: I will explain more deeply. I need to deploy a firewall(s) in front of web server farm because I need to do billing - I will use CentOS with iptables + ipset to store a list if my clients so when client doesn't pay his server's IP is out of the list and he can't access the web server. Second - I know that iptables is very heavy and it's not recommended to use it in gigabit firewall but I don't have a choice as far as I know only ipset works with iptables. I don't know can pf store 500 IPs in one list. Ipset is written for that purpose. I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea? I've been using Linux (CentOS5) on gigabit firewalls, for thousands of users. No problems. Yeah, but what is your ruleset? Hundreds of chains, thousands of rules.. Just make sure ip_conntrack_max is big enough, so you don't run out of connections. Just three months ago I saw a CentOS L2TP cluster explode because of this -- and the machines have _plenty_ of RAM each. Turned off ip[6]tables entirely and let the Ciscos do this was the only solution. The default values are way too low. First step is to increase that value. Was the first thing I tried; unfortunately, I didn't really see sense in giving iptables the vast majority of 32GiByte RAM... There are other things to tune to optimize the performance, but it's certainly doable with linux+iptables. Nail, hammer, etc. ;) -- Pasi Timo ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
On Mon, Dec 21, 2009 at 12:04:32PM +0200, sadas sadas wrote: pa...@iki.ficentos@centos.org Some months ago there was discussions about 10 gbit performance with Linux. Some guys were pushing over 70 Gbit/sec through a single linux box. /centos@centos.org/pa...@iki.fi70 Gbit/sec ? Maybe with port aggravation it's possible. Can you give some more info about that guys. To achieve that hight throughput maybe it's necessary to cut most of the OS and the kernel, leaving only the necessary. I'm very interested to read more information about the experiment. regards p.s here you can see 10 Gbit/s experiment http://haproxy.1wt.eu/10g.html See this thread: http://groups.google.com/group/linux.kernel/browse_thread/thread/70e62d8a85cd3241 quote: We also achieved nearly 80 Gbps in bidirectional TCP tests (40 Gbps simultaneously in each direction): This was using 2 dual-port 10-GigE NICs in the first two PCIe 2.0 slots. We are using an Intel i7 965 quad-core 3.2 GHz Nehalem processor (overclocked to 3.4 GHz) and 2000 MHz DDR3 memory. Adding an additional dual-port 10-GigE NIC on the Nvidia N200 chip does only marginally better, as it appears we are basically CPU limited at this point for this test (the sum of the TX and RX CPU utilization for each pair of 10-GigE interfaces is about 93%). -- Pasi ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
Peter Serwe wrote: I'll second damn near everything nate said, and hopefully add a tidbit or two. If you're new to BSD, you may want to consider the pfsense project in the aforementioned active-active configuration. It gives you a nice, intuitive gui to manage your failover firewalls, if you insist on putting a firewall in front of your web servers. Better to secure the box, leave only the ports you need open on the public interfaces, and don't firewall them. Also, I'd strongly consider running your firewalls with no disk at all. A Live CD, CF card or USB Flash to boot off of, remote syslog and one less subsystem (disks) to buy/fail makes for some mighty cheap 1U servers. A single dual-core with core speeds above 3.0Ghz and 4GB of RAM is to pass Gb @ line rate - ethernet overhead. Truth be told, it's already being done on much less /me going to try to get a diskless OpenBSD setup again. than that. You can also load balance your traffic, albiet somewhat primitively with it. If you really want massive throughput, consider toying around with extremely expensive 10G gear, size RAM appropriately, and see how PF performs under multi-processor, high-core speed. but if you're handling over a Gb of traffic and you can't split the application into multiple farms, that's the best move. That part about high-core speed for OpenBSD pf is definitely on. The multi-processor part...not too sure. Maybe with NUMA systems like what you get on AMD Opteron platforms. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
Chan Chung Hang Christopher wrote: Les Mikesell wrote: Timo Schoeler wrote: What about NetBSD? I heard that NetBSD has the best network stack out there. Maybe NetBSD with pf is the best choice? NetBSD is a very nice OS, I personally like it most (out of all BSDs out there); however, as can be read on http://www.netbsd.org/docs/network/pf.html there's the 'usual lag': OpenBSD implements feature X in 4.6, wait some time to see it implemented elsewhere. One of the biggest strengths of OpenBSD is that it's really a completely rounded piece of work. Keep it that way. pf will perform best on OpenBSD, with all the nice features it has. Has anyone used Firewall Builder to create a complex set of iptables rules? Or compared performance where it built the same thing for linux/iptables and bsd/pf? Are you joking? That piece of crap just puts everything into one single chain. I never EVER use Firewall Builder after I saw the results the first time. I haven't used it, but that doesn't seem to match the documentation under Multiple Rule Sets here: http://www.fwbuilder.org/docs/firewall_builder_3_features.html -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
On 12/20/09 16:22, Chan Chung Hang Christopher wrote: Les Mikesell wrote: Timo Schoeler wrote: What about NetBSD? I heard that NetBSD has the best network stack out there. Maybe NetBSD with pf is the best choice? NetBSD is a very nice OS, I personally like it most (out of all BSDs out there); however, as can be read on http://www.netbsd.org/docs/network/pf.html there's the 'usual lag': OpenBSD implements feature X in 4.6, wait some time to see it implemented elsewhere. One of the biggest strengths of OpenBSD is that it's really a completely rounded piece of work. Keep it that way. pf will perform best on OpenBSD, with all the nice features it has. Has anyone used Firewall Builder to create a complex set of iptables rules? Or compared performance where it built the same thing for linux/iptables and bsd/pf? Are you joking? That piece of crap just puts everything into one single chain. I never EVER use Firewall Builder after I saw the results the first time. For a BRIDGING firewall, there is absolutely NO WAY that Linux/netfilter can keep up with OpenBSD/pf. I doubt that Linux/netfilter can even reach half the performance of OpenBSD/pf. Have you got some figures to back that up? Everybody's saying OpenBSD's pf performance is superior, yet nobody has posted some proof. Glenn ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
RedShift wrote: Have you got some figures to back that up? Everybody's saying OpenBSD's pf performance is superior, yet nobody has posted some proof. Not sure myself, keep in mind that there are (at least) two different ways to measure firewall performance - connections/second and throughput. There was a url someone posted a few days ago going in depth into tuning of OpenBSD for max performance and mentioned 930Mbit of throughput on a single gigE link. (all performance numbers assume standard 1500 byte frame sizes) My own testing 5 years ago with no tuning I was able to run iperf at roughly 500Mbit through an OpenBSD pf firewall, with about 30% cpu usage(single cpu, most of it interrupt driven). Someone(s) on the list at the time said I would of gotten more had I used multiple connections. I also recall the system being able to absorb roughly 10,000 connections/second. It also mentioned(I think) the giant lock in the OpenBSD kernel limiting performance to a single cpu core, I'm not sure the status of the linux locking whether or not iptables can effectively use more than one core. For me using pf is more about simplicity, the configuration is easy to understand, and very easy to setup. Also setting up redundancy with pfsync is quite easy too(I tried looking for ways to replicate iptables state but all I could find is some experimental patches) Most of my firewalls need less than 1Gbps of throughput, so pf works well. I would not expect pf, or linux to be able to scale to multi GbE speeds, for that I would go for a firewall appliance something along the lines of a Juniper Netscreen, or perhaps Checkpoint. On occasion I have thought about attempting to use multiple firewalls that are in sync in bridging mode between a pair of switches running static 802.3ad port load balancing to achieve higher overall throughput. Haven't had the time or need to attempt it though. Maybe if I spent more time with iptables it would be easier to understand, I find the whole user experience with it to be frustrating to say the least. I haven't tried any of the various front ends out there. I find the userspace environment of OpenBSD to be as equally frustrating as iptables, but for me I just set the box up and really don't touch it much afterwards. I originally went with FreeBSD about 9 years ago when running bridged firewall/IDS systems, later migrated to OpenBSD for pf, and haven't seen/heard/read of a good reason to try linux again. I do use iptables on occasion for very small setups(single server), but never for multi system setups. Sample, fairly complicated pf configuration(from 4 years ago): http://portal.aphroland.org/~aphro/master.pf nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
On Fri, Dec 18, 2009 at 12:06 PM, nate cen...@linuxpowered.net wrote: iptables makes a TERRIBLE firewall, use pf instead http://www.openbsd.org/faq/pf/index.html I whole heartedly with Nate on this! I spent a bunch of time looking at firewall solutions a year or two back, and PF was by far the easiest solution to manage and get up and running. There are also some killer tools for monitoring PF activity: http://prefetch.net/articles/monitoringpf.html - Ryan -- http://prefetch.net ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
This thread is like a bad joke. You've been given the answer 37 times by 23 people. Harrow?!! Peter On Sun, Dec 20, 2009 at 8:10 AM, sadas sadas mai...@abv.bg wrote: What solution for gigabit firewall can you suggest? Witch OS and packet filter is capable to atcheave hight performance and gigabit speeds? -- Peter Serwe http://truthlightway.blogspot.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
This thread is like a bad joke. You've been given the answer 37 times by 23 people. Harrow?!! Well, if all you've got is a hammer, everything will begin to look like a nail. Doesn't it? ;-) Rainer ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
I've got a garage full of tools at my disposal. However, for the task at hand, which is nailing a nail, there is no tool more appropriate than the aforementioned hammer. Peter On Sun, Dec 20, 2009 at 12:50 PM, rai...@ultra-secure.de wrote: This thread is like a bad joke. You've been given the answer 37 times by 23 people. Harrow?!! Well, if all you've got is a hammer, everything will begin to look like a nail. Doesn't it? ;-) Rainer ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Peter Serwe http://truthlightway.blogspot.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
I've got a garage full of tools at my disposal. However, for the task at hand, which is nailing a nail, there is no tool more appropriate than the aforementioned hammer. Yeah, but the original poster's only tool seems to be the CentOS sledge-hammer. I could understand him if the answer to his question was IRIX or Buy an IBM mainframe. I think even in large enterprises with a strict policy about what OS and what applications can go into a datacenter, there should be a way to define exceptions. Because there are always cases where the one-size-fits-all policy just doesn't fit at all. Rainer ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
Peter Serwe wrote: This thread is like a bad joke. You've been given the answer 37 times by 23 people. And yet, none of those responses provided any objective measurements or links to test results. Not only were most just opinions, many said the opinions were based on first impressions of old versions of things long ago. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
rai...@ultra-secure.de wrote: I've got a garage full of tools at my disposal. However, for the task at hand, which is nailing a nail, there is no tool more appropriate than the aforementioned hammer. Yeah, but the original poster's only tool seems to be the CentOS sledge-hammer. I could understand him if the answer to his question was IRIX or Buy an IBM mainframe. I think even in large enterprises with a strict policy about what OS and what applications can go into a datacenter, there should be a way to define exceptions. Because there are always cases where the one-size-fits-all policy just doesn't fit at all. I think the original poster was more interested in separating billing for different addresses than typical firewall tasks anyway. And in that case it might make more sense to use netflow reports from the gateway router if if has the capability, or per-interface traffic on the downstream switch ports. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
Les Mikesell wrote: Chan Chung Hang Christopher wrote: That part about high-core speed for OpenBSD pf is definitely on. The multi-processor part...not too sure. Maybe with NUMA systems like what you get on AMD Opteron platforms. Don't both iptables and pf bypass the filters for established TCP connections (making the filtering speed only rarely relevant)? Yeah, IF you set up the rules right. On that score, i think openbsd has a certain order iirc so you cannot go wrong there...but with iptables and netfilter...heh. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
RedShift wrote: On 12/20/09 16:22, Chan Chung Hang Christopher wrote: Les Mikesell wrote: Timo Schoeler wrote: What about NetBSD? I heard that NetBSD has the best network stack out there. Maybe NetBSD with pf is the best choice? NetBSD is a very nice OS, I personally like it most (out of all BSDs out there); however, as can be read on http://www.netbsd.org/docs/network/pf.html there's the 'usual lag': OpenBSD implements feature X in 4.6, wait some time to see it implemented elsewhere. One of the biggest strengths of OpenBSD is that it's really a completely rounded piece of work. Keep it that way. pf will perform best on OpenBSD, with all the nice features it has. Has anyone used Firewall Builder to create a complex set of iptables rules? Or compared performance where it built the same thing for linux/iptables and bsd/pf? Are you joking? That piece of crap just puts everything into one single chain. I never EVER use Firewall Builder after I saw the results the first time. For a BRIDGING firewall, there is absolutely NO WAY that Linux/netfilter can keep up with OpenBSD/pf. I doubt that Linux/netfilter can even reach half the performance of OpenBSD/pf. Have you got some figures to back that up? Everybody's saying OpenBSD's pf performance is superior, yet nobody has posted some proof. There were figures before on the Net but this was something like 4 years ago when I was looking into this. At that time, using Linux for a bridging firewall was akin to suicide...the chums had to go for FreeBSD (which they were more familiar with) and later one of them got an OpenBSD firewall that had lower resource usage for the same load. So sorry, I cannot give you anything. But I can say that connection tracking sure chews cpu. I had to not use any connection tracking in the rules. This is not in a briding scenario. This was just pure host based filtering. So if you want something stateful...I have my doubts as to netfilter's performance versus OpenBSD pf. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
Peter Serwe wrote: So basically, you're saying you'd want to allow or disallow traffic based on mac address? Seems like you could put mac filters on a number switches, Cisco being the most easily documented by Mr. Google. Be a lot faster than any kernel, and a total waste of BSD. If you can do it on Linux via some other mechanism, go for it. Or perhaps use a VLAN trunk to the switch with the devices you want to isolate on different VLANs. This gives you a different interface/subnet per VLAN for more natural control. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
I'd argue handling it at the layer 3 level to be preferable than splitting every customer into their own vlan. If you split into vlans like that, if you have single-box customers, you'll have to have subnet boundaries for every /30... OTOH, vlan isolation for customers is pretty much the norm, as long as you've got the IP's to waste, why not.. Peter On Sat, Dec 19, 2009 at 8:42 AM, Les Mikesell lesmikes...@gmail.com wrote: Peter Serwe wrote: So basically, you're saying you'd want to allow or disallow traffic based on mac address? Seems like you could put mac filters on a number switches, Cisco being the most easily documented by Mr. Google. Be a lot faster than any kernel, and a total waste of BSD. If you can do it on Linux via some other mechanism, go for it. Or perhaps use a VLAN trunk to the switch with the devices you want to isolate on different VLANs. This gives you a different interface/subnet per VLAN for more natural control. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Peter Serwe http://truthlightway.blogspot.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
sadas sadas wrote: Hi, I want to configure CentOS on powerful server with gigabit adapters as transparent bridge and deploy it in front of server farm. Can you tell how to optimize the OS for hight packet processing? What configurations I need to do to achieve very hight speeds and thousands of packets? iptables makes a TERRIBLE firewall, use pf instead http://www.openbsd.org/faq/pf/index.html Also consider how your going to provide redundancy, if you have a web server farm you want to protect them with at least two firewalls, not one. http://www.openbsd.org/faq/pf/carp.html I haven't used CARP myself but did setup a pair of pf firewalls about 5 years ago in a large network in bridging mode, the layer 3 fault tolerance was provided by OSPF on the core switches, the firewalls were active-active(with pfsync) since they were layer 2 only. Maybe someday linux will fix the overly complex iptables system to something that is more manageable, not holding my breath though. If you want really high speed(say multi GbE) though you'll want/need to go with an appliance based solution. Also since your referring to a web server farm, it is perfectly acceptable to not use firewalls these days, if you have a good load balancer that serves the same role as a firewall in that it only passes traffic that you specifically configure it to pass. Also in high traffic environments the performance of load balancers destroys most firewalls, making investing in a high end firewall a very expensive proposition. I've worked for the better part of the last 10 years with companies who did not have firewalls in front of their web servers for this reason, it didn't make sense $$ wise, because the benefit wasn't there, and the added complexity, and performance implications wasn't worth it either. Talk to most load balancing companies and they'll tell you this themselves. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
I'll second damn near everything nate said, and hopefully add a tidbit or two. If you're new to BSD, you may want to consider the pfsense project in the aforementioned active-active configuration. It gives you a nice, intuitive gui to manage your failover firewalls, if you insist on putting a firewall in front of your web servers. Better to secure the box, leave only the ports you need open on the public interfaces, and don't firewall them. Also, I'd strongly consider running your firewalls with no disk at all. A Live CD, CF card or USB Flash to boot off of, remote syslog and one less subsystem (disks) to buy/fail makes for some mighty cheap 1U servers. A single dual-core with core speeds above 3.0Ghz and 4GB of RAM is to pass Gb @ line rate - ethernet overhead. Truth be told, it's already being done on much less than that. You can also load balance your traffic, albiet somewhat primitively with it. If you really want massive throughput, consider toying around with extremely expensive 10G gear, size RAM appropriately, and see how PF performs under multi-processor, high-core speed. but if you're handling over a Gb of traffic and you can't split the application into multiple farms, that's the best move. Akamai, for instance, runs 10G to each rack, each rack has around 20-24 servers, and they run GB to the server. pfsense.org has extensive information about hardware requirements, features, and what you're looking to do. https://calomel.org/network_performance.html is an excellent BSD firewall performance site. One thing to note, you are claiming to want to deploy this as a passive bridge. You cannot do what you want to do running anything in bridge mode. The packets need to route somehow. Get a /29 from your colo provider and ask to have your existing block routed through it once you've tested it. Another option for a seamless failover, is to alias a different range of IP's to the server interfaces, put a /29 and whatever netblock you want to end up being your public IP block on the PFSense hardware. When you're convinced everything's working through rigorous testing, put a test domain up pointing to that block, modify virtualhost entries on the servers to respond to that domain with your production web site, and test some more. Once you're convinced that's working perfectly, make the changes in DNS to point your production domain at the IP's you want, and failover will happen with DNS convergence. Peter On Fri, Dec 18, 2009 at 9:06 AM, nate cen...@linuxpowered.net wrote: sadas sadas wrote: Hi, I want to configure CentOS on powerful server with gigabit adapters as transparent bridge and deploy it in front of server farm. Can you tell how to optimize the OS for hight packet processing? What configurations I need to do to achieve very hight speeds and thousands of packets? iptables makes a TERRIBLE firewall, use pf instead http://www.openbsd.org/faq/pf/index.html Also consider how your going to provide redundancy, if you have a web server farm you want to protect them with at least two firewalls, not one. http://www.openbsd.org/faq/pf/carp.html I haven't used CARP myself but did setup a pair of pf firewalls about 5 years ago in a large network in bridging mode, the layer 3 fault tolerance was provided by OSPF on the core switches, the firewalls were active-active(with pfsync) since they were layer 2 only. Maybe someday linux will fix the overly complex iptables system to something that is more manageable, not holding my breath though. If you want really high speed(say multi GbE) though you'll want/need to go with an appliance based solution. Also since your referring to a web server farm, it is perfectly acceptable to not use firewalls these days, if you have a good load balancer that serves the same role as a firewall in that it only passes traffic that you specifically configure it to pass. Also in high traffic environments the performance of load balancers destroys most firewalls, making investing in a high end firewall a very expensive proposition. I've worked for the better part of the last 10 years with companies who did not have firewalls in front of their web servers for this reason, it didn't make sense $$ wise, because the benefit wasn't there, and the added complexity, and performance implications wasn't worth it either. Talk to most load balancing companies and they'll tell you this themselves. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Peter Serwe http://truthlightway.blogspot.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
I will explain more deeply. I need to deploy a firewall(s) in front of web server farm because I need to do billing - I will use CentOS with iptables + ipset to store a list if my clients so when client doesn't pay his server's IP is out of the list and he can't access the web server. Second - I know that iptables is very heavy and it's not recommended to use it in gigabit firewall but I don't have a choice as far as I know only ipset works with iptables. I don't know can pf store 500 IPs in one list. Ipset is written for that purpose. I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea? regards I'll second damn near everything nate said, and hopefully add a tidbit or two. If you're new to BSD, you may want to consider the pfsense project in the aforementioned active-active configuration. It gives you a nice, intuitive gui to manage your failover firewalls, if you insist on putting a firewall in front of your web servers. Better to secure the box, leave only the ports you need open on the public interfaces, and don't firewall them. Also, I'd strongly consider running your firewalls with no disk at all. A Live CD, CF card or USB Flash to boot off of, remote syslog and one less subsystem (disks) to buy/fail makes for some mighty cheap 1U servers. A single dual-core with core speeds above 3.0Ghz and 4GB of RAM is to pass Gb @ line rate - ethernet overhead. Truth be told, it's already being done on much less than that. You can also load balance your traffic, albiet somewhat primitively with it. If you really want massive throughput, consider toying around with extremely expensive 10G gear, size RAM appropriately, and see how PF performs under multi-processor, high-core speed. but if you're handling over a Gb of traffic and you can't split the application into multiple farms, that's the best move. Akamai, for instance, runs 10G to each rack, each rack has around 20-24 servers, and they run GB to the server. pfsense.org has extensive information about hardware requirements, features, and what you're looking to do. https://calomel.org/network_performance.html is an excellent BSD firewall performance site. One thing to note, you are claiming to want to deploy this as a passive bridge. You cannot do what you want to do running anything in bridge mode. The packets need to route somehow. Get a /29 from your colo provider and ask to have your existing block routed through it once you've tested it. Another option for a seamless failover, is to alias a different range of IP's to the server interfaces, put a /29 and whatever netblock you want to end up being your public IP block on the PFSense hardware. When you're convinced everything's working through rigorous testing, put a test domain up pointing to that block, modify virtualhost entries on the servers to respond to that domain with your production web site, and test some more. Once you're convinced that's working perfectly, make the changes in DNS to point your production domain at the IP's you want, and failover will happen with DNS convergence. Peter On Fri, Dec 18, 2009 at 9:06 AM, nate cen...@linuxpowered.net wrote: sadas sadas wrote: Hi, I want to configure CentOS on powerful server with gigabit adapters as transparent bridge and deploy it in front of server farm. Can you tell how to optimize the OS for hight packet processing? What configurations I need to do to achieve very hight speeds and thousands of packets? iptables makes a TERRIBLE firewall, use pf instead http://www.openbsd.org/faq/pf/index.html Also consider how your going to provide redundancy, if you have a web server farm you want to protect them with at least two firewalls, not one. http://www.openbsd.org/faq/pf/carp.html I haven't used CARP myself but did setup a pair of pf firewalls about 5 years ago in a large network in bridging mode, the layer 3 fault tolerance was provided by OSPF on the core switches, the firewalls were active-active(with pfsync) since they were layer 2 only. Maybe someday linux will fix the overly complex iptables system to something that is more manageable, not holding my breath though. If you want really high speed(say multi GbE) though you'll want/need to go with an appliance based solution. Also since your referring to a web server farm, it is perfectly acceptable to not use firewalls these days, if you have a good load balancer that serves the same role as a firewall in that it only passes traffic that you specifically configure it to pass. Also in high traffic environments the performance of load balancers destroys most firewalls, making investing in a high end firewall a very expensive proposition. I've worked for the better part of the last 10 years with companies who did not have firewalls in front of their web servers for this reason, it didn't
Re: [CentOS] Optimizing CentOS for gigabit firewall
On Fri, Dec 18, 2009 at 2:36 PM, sadas sadas mai...@abv.bg wrote: I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea? I think you'll find that this kind of thing can be handled by pf without pf breaking a sweat. And you can ask 100 people what they think you'll find and get 100 different answers. What you really need to do is configure this setup for a controlled test. Only then will you have a good idea what to expect when you go into production. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
sadas sadas wrote: I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea? Hundreds? http://www.openbsd.org/faq/pf/tables.html A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups against a table are very fast and consume less memory and processor time than lists. For this reason, a table is ideal for holding a large group of addresses as the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses. Tables can be used in the following ways: * source and/or destination address in filter, NAT, and redirection rules. * translation address in NAT rules. * redirection address in redirection rules. * destination address in route-to, reply-to, and dup-to filter rule options. nuff said ? I love linux, I've been using it for almost 15 years now, I absolutely hate iptables(and ipchains, and ipfwadm). By contrast I absolutely hate everything about OpenBSD except for pf(which I love, ipfw and ipf aren't too bad either, at least for the era), so I use OpenBSD for firewalls, and linux for everything else. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
after quick search in google: http://postfactum.pl.ua/pf/ I will test to patch latest linux kernel with pf. What do you thing? sadas sadas wrote: I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea? Hundreds? http://www.openbsd.org/faq/pf/tables.html A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups against a table are very fast and consume less memory and processor time than lists. For this reason, a table is ideal for holding a large group of addresses as the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses. Tables can be used in the following ways: * source and/or destination address in filter, NAT, and redirection rules. * translation address in NAT rules. * redirection address in redirection rules. * destination address in route-to, reply-to, and dup-to filter rule options. nuff said ? I love linux, I've been using it for almost 15 years now, I absolutely hate iptables(and ipchains, and ipfwadm). By contrast I absolutely hate everything about OpenBSD except for pf(which I love, ipfw and ipf aren't too bad either, at least for the era), so I use OpenBSD for firewalls, and linux for everything else. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea? Hundreds? http://www.openbsd.org/faq/pf/tables.html A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups against a table are very fast and consume less memory and processor time than lists. For this reason, a table is ideal for holding a large group of addresses as the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses. Tables can be used in the following ways: * source and/or destination address in filter, NAT, and redirection rules. * translation address in NAT rules. * redirection address in redirection rules. * destination address in route-to, reply-to, and dup-to filter rule options. nuff said ? I love linux, I've been using it for almost 15 years now, I absolutely hate iptables(and ipchains, and ipfwadm). By contrast I absolutely hate everything about OpenBSD except for pf(which I love, ipfw and ipf aren't too bad either, at least for the era), so I use OpenBSD for firewalls, and linux for everything else. I can back this; during 2009, I deployed a bunch of load balancers running OpenBSD (using pf, carpd, and relayd). I used to be a super die hard BSD guy, but through the years and having used/deployed/propagated NetBSD, then FreeBSD, then OpenBSD, then NetBSD again, I took one of my usual once-a-year looks at GNU/Linux (this time, it was CentOS, after having worked with RHEL for some years), I got settled here. Long story short: I'd really recommend OpenBSD for your task. iptables really sucks. I recently deployed some machines running several virtual instances (however still the cheapest *proven* way to get several IP stacks in Linux) doing L2 routing, I threw iptables off of that machines because it just can't handle stuff at that rate. OpenBSD rocks, I even have a setup running (active-active, load balanced) at about 40Mbps using Alix boards [0] -- they rock, and they are no way busy. OpenBSDs documentation is the best out there, it's documentational quality is what I really really badly miss in the Linux world. However, the community is a bunch of (sorry in advance) assholes. But this is well known throughout the internet, so: You have been warned. Great product, totally lame vendor. ;) Timo [0] -- http://pcengines.ch/alix.htm nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
after quick search in google: http://postfactum.pl.ua/pf/ I will test to patch latest linux kernel with pf. What do you thing? Get OpenBSD. Honestly -- all the porting stuff of relatively kernel-close stuff is just braindead. Timo sadas sadas wrote: I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea? Hundreds? http://www.openbsd.org/faq/pf/tables.html A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups against a table are very fast and consume less memory and processor time than lists. For this reason, a table is ideal for holding a large group of addresses as the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses. Tables can be used in the following ways: * source and/or destination address in filter, NAT, and redirection rules. * translation address in NAT rules. * redirection address in redirection rules. * destination address in route-to, reply-to, and dup-to filter rule options. nuff said ? I love linux, I've been using it for almost 15 years now, I absolutely hate iptables(and ipchains, and ipfwadm). By contrast I absolutely hate everything about OpenBSD except for pf(which I love, ipfw and ipf aren't too bad either, at least for the era), so I use OpenBSD for firewalls, and linux for everything else. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
What about NetBSD? I heard that NetBSD has the best network stack out there. Maybe NetBSD with pf is the best choice? I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea? Hundreds? http://www.openbsd.org/faq/pf/tables.html A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups against a table are very fast and consume less memory and processor time than lists. For this reason, a table is ideal for holding a large group of addresses as the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses. Tables can be used in the following ways: * source and/or destination address in filter, NAT, and redirection rules. * translation address in NAT rules. * redirection address in redirection rules. * destination address in route-to, reply-to, and dup-to filter rule options. nuff said ? I love linux, I've been using it for almost 15 years now, I absolutely hate iptables(and ipchains, and ipfwadm). By contrast I absolutely hate everything about OpenBSD except for pf(which I love, ipfw and ipf aren't too bad either, at least for the era), so I use OpenBSD for firewalls, and linux for everything else. I can back this; during 2009, I deployed a bunch of load balancers running OpenBSD (using pf, carpd, and relayd). I used to be a super die hard BSD guy, but through the years and having used/deployed/propagated NetBSD, then FreeBSD, then OpenBSD, then NetBSD again, I took one of my usual once-a-year looks at GNU/Linux (this time, it was CentOS, after having worked with RHEL for some years), I got settled here. Long story short: I'd really recommend OpenBSD for your task. iptables really sucks. I recently deployed some machines running several virtual instances (however still the cheapest *proven* way to get several IP stacks in Linux) doing L2 routing, I threw iptables off of that machines because it just can't handle stuff at that rate. OpenBSD rocks, I even have a setup running (active-active, load balanced) at about 40Mbps using Alix boards [0] -- they rock, and they are no way busy. OpenBSDs documentation is the best out there, it's documentational quality is what I really really badly miss in the Linux world. However, the community is a bunch of (sorry in advance) assholes. But this is well known throughout the internet, so: You have been warned. Great product, totally lame vendor. ;) Timo [0] -- http://pcengines.ch/alix.htm nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
What about NetBSD? I heard that NetBSD has the best network stack out there. Maybe NetBSD with pf is the best choice? NetBSD is a very nice OS, I personally like it most (out of all BSDs out there); however, as can be read on http://www.netbsd.org/docs/network/pf.html there's the 'usual lag': OpenBSD implements feature X in 4.6, wait some time to see it implemented elsewhere. One of the biggest strengths of OpenBSD is that it's really a completely rounded piece of work. Keep it that way. pf will perform best on OpenBSD, with all the nice features it has. HTH, Timo I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea? Hundreds? http://www.openbsd.org/faq/pf/tables.html A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups against a table are very fast and consume less memory and processor time than lists. For this reason, a table is ideal for holding a large group of addresses as the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses. Tables can be used in the following ways: * source and/or destination address in filter, NAT, and redirection rules. * translation address in NAT rules. * redirection address in redirection rules. * destination address in route-to, reply-to, and dup-to filter rule options. nuff said ? I love linux, I've been using it for almost 15 years now, I absolutely hate iptables(and ipchains, and ipfwadm). By contrast I absolutely hate everything about OpenBSD except for pf(which I love, ipfw and ipf aren't too bad either, at least for the era), so I use OpenBSD for firewalls, and linux for everything else. I can back this; during 2009, I deployed a bunch of load balancers running OpenBSD (using pf, carpd, and relayd). I used to be a super die hard BSD guy, but through the years and having used/deployed/propagated NetBSD, then FreeBSD, then OpenBSD, then NetBSD again, I took one of my usual once-a-year looks at GNU/Linux (this time, it was CentOS, after having worked with RHEL for some years), I got settled here. Long story short: I'd really recommend OpenBSD for your task. iptables really sucks. I recently deployed some machines running several virtual instances (however still the cheapest *proven* way to get several IP stacks in Linux) doing L2 routing, I threw iptables off of that machines because it just can't handle stuff at that rate. OpenBSD rocks, I even have a setup running (active-active, load balanced) at about 40Mbps using Alix boards [0] -- they rock, and they are no way busy. OpenBSDs documentation is the best out there, it's documentational quality is what I really really badly miss in the Linux world. However, the community is a bunch of (sorry in advance) assholes. But this is well known throughout the internet, so: You have been warned. Great product, totally lame vendor. ;) Timo [0] -- http://pcengines.ch/alix.htm nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
after quick search in google: http://postfactum.pl.ua/pf/ I will test to patch latest linux kernel with pf. Hey! Wait: The name of this patchset is not connected with BSD Packet Filter. «pf» means «post-factum» in the short form. What do you thing? Get OpenBSD. Honestly -- all the porting stuff of relatively kernel-close stuff is just braindead. If you need PF, get OpenBSD. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
I don't know jack about IPSet, but I know enabling or disabling hosts in bare stock PF without the gui in front of it is about as easy as it gets. The PF configuration file syntax was designed from the ground up to be sane, unlike iptables, which typically needs some decent sysadmin scripting or using fwbuilder to make any good sense of. There is no finer opensource firewall product on the market, in terms of performance, ease of configuration and use, and other issues. If you're not opposed to vi, for what you're looking to accomplish, moving to BSD and pf is a no-brainer. PF can definitely handle a list of 500 hosts and anything else you've mentioned. It's absolutely capable, easier, and in general, for anything that involves packet filtering at all, about as good as it gets. Peter On Fri, Dec 18, 2009 at 11:36 AM, sadas sadas mai...@abv.bg wrote: I will explain more deeply. I need to deploy a firewall(s) in front of web server farm because I need to do billing - I will use CentOS with iptables + ipset to store a list if my clients so when client doesn't pay his server's IP is out of the list and he can't access the web server. Second - I know that iptables is very heavy and it's not recommended to use it in gigabit firewall but I don't have a choice as far as I know only ipset works with iptables. I don't know can pf store 500 IPs in one list. Ipset is written for that purpose. I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea? regards I'll second damn near everything nate said, and hopefully add a tidbit or two. If you're new to BSD, you may want to consider the pfsense project in the aforementioned active-active configuration. It gives you a nice, intuitive gui to manage your failover firewalls, if you insist on putting a firewall in front of your web servers. Better to secure the box, leave only the ports you need open on the public interfaces, and don't firewall them. Also, I'd strongly consider running your firewalls with no disk at all. A Live CD, CF card or USB Flash to boot off of, remote syslog and one less subsystem (disks) to buy/fail makes for some mighty cheap 1U servers. A single dual-core with core speeds above 3.0Ghz and 4GB of RAM is to pass Gb @ line rate - ethernet overhead. Truth be told, it's already being done on much less than that. You can also load balance your traffic, albiet somewhat primitively with it. If you really want massive throughput, consider toying around with extremely expensive 10G gear, size RAM appropriately, and see how PF performs under multi-processor, high-core speed. but if you're handling over a Gb of traffic and you can't split the application into multiple farms, that's the best move. Akamai, for instance, runs 10G to each rack, each rack has around 20-24 servers, and they run GB to the server. pfsense.org has extensive information about hardware requirements, features, and what you're looking to do. https://calomel.org/network_performance.html is an excellent BSD firewall performance site. One thing to note, you are claiming to want to deploy this as a passive bridge. You cannot do what you want to do running anything in bridge mode. The packets need to route somehow. Get a /29 from your colo provider and ask to have your existing block routed through it once you've tested it. Another option for a seamless failover, is to alias a different range of IP's to the server interfaces, put a /29 and whatever netblock you want to end up being your public IP block on the PFSense hardware. When you're convinced everything's working through rigorous testing, put a test domain up pointing to that block, modify virtualhost entries on the servers to respond to that domain with your production web site, and test some more. Once you're convinced that's working perfectly, make the changes in DNS to point your production domain at the IP's you want, and failover will happen with DNS convergence. Peter On Fri, Dec 18, 2009 at 9:06 AM, nate cen...@linuxpowered.net wrote: sadas sadas wrote: Hi, I want to configure CentOS on powerful server with gigabit adapters as transparent bridge and deploy it in front of server farm. Can you tell how to optimize the OS for hight packet processing? What configurations I need to do to achieve very hight speeds and thousands of packets? iptables makes a TERRIBLE firewall, use pf instead http://www.openbsd.org/faq/pf/index.html Also consider how your going to provide redundancy, if you have a web server farm you want to protect them with at least two firewalls, not one. http://www.openbsd.org/faq/pf/carp.html I haven't used CARP myself but did setup a pair of pf firewalls about 5 years ago in a large network in bridging mode, the layer 3 fault tolerance was provided by OSPF on the core
Re: [CentOS] Optimizing CentOS for gigabit firewall
Timo Schoeler wrote: What about NetBSD? I heard that NetBSD has the best network stack out there. Maybe NetBSD with pf is the best choice? NetBSD is a very nice OS, I personally like it most (out of all BSDs out there); however, as can be read on http://www.netbsd.org/docs/network/pf.html there's the 'usual lag': OpenBSD implements feature X in 4.6, wait some time to see it implemented elsewhere. One of the biggest strengths of OpenBSD is that it's really a completely rounded piece of work. Keep it that way. pf will perform best on OpenBSD, with all the nice features it has. Has anyone used Firewall Builder to create a complex set of iptables rules? Or compared performance where it built the same thing for linux/iptables and bsd/pf? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
You can't patch the Berkeley Packet Filter into Linux. Linux kernel doesn't support it. and... Despite a cacophonous chorus of replies directing you to the right tool for the job, you insist on sticking with Linux. If you want to use the wrong tool for the job, by all means, use ipset/iptables - have a great time with it. When it doesn't give you the performance you want, then you will probably go buy something else. I don't care how you pretty up iptables and it's predecessor, ipchains, it's still a black eye on Linux comparatively speaking. Berkeley invented TCP/IP, the Berkeley TCP/IP stack is implemented on just about every platform/OS combination there is. Berkeley *is* networking. And yes, the community around BSD are assholes, but they are semi-entitled. Their shit is way better documented than just about anything else in Open Source, including most things Linux. Peter On Fri, Dec 18, 2009 at 12:16 PM, sadas sadas mai...@abv.bg wrote: after quick search in google: http://postfactum.pl.ua/pf/ I will test to patch latest linux kernel with pf. What do you thing? -- Peter Serwe http://truthlightway.blogspot.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
On 12/18/2009 10:05 PM, Peter Serwe wrote: I don't know jack about IPSet, but I know enabling or disabling hosts in bare stock PF without the gui in front of it is about as easy as it gets. The PF configuration file syntax was designed from the ground up to be sane, unlike iptables, which typically needs some decent sysadmin scripting or using fwbuilder to make any good sense of. There is no finer opensource firewall product on the market, in terms of performance, ease of configuration and use, and other issues. If you're not opposed to vi, for what you're looking to accomplish, moving to BSD and pf is a no-brainer. PF can definitely handle a list of 500 hosts and anything else you've mentioned. It's absolutely capable, easier, and in general, for anything that involves packet filtering at all, about as good as it gets. Peter Just as recommendation: Besides OpenBSD's really phantastis documentation, there are some books that are really great: The Book of PF: A No-Nonsense Guide to the BSD Firewall (by Peter N. M. Hansteen) The Openbsd Pf Packet Filter Book (by Jeremy C. Reed) HTH, Timo ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
On 12/18/2009 10:12 PM, Peter Serwe wrote: You can't patch the Berkeley Packet Filter into Linux. Linux kernel doesn't support it. and... Despite a cacophonous chorus of replies directing you to the right tool for the job, you insist on sticking with Linux. If you want to use the wrong tool for the job, by all means, use ipset/iptables - have a great time with it. When it doesn't give you the performance you want, then you will probably go buy something else. I don't care how you pretty up iptables and it's predecessor, ipchains, it's still a black eye on Linux comparatively speaking. Berkeley invented TCP/IP, the Berkeley TCP/IP stack is implemented on just about every platform/OS combination there is. Berkeley *is* networking. And yes, the community around BSD are assholes, (I'd like to say that all other BSD communities are very friendly; the one exception is the OpenBSD guys. OTOH, they're sometimes more than on the right track: E.g., when they say 'open source', they mean it. GNU/Linux is as lame as the FreeBSD guys, as both allow tainted stuff, as binary-only drivers (nVidia, e.g.). NetBSD is neither nor. Timo but they are semi-entitled. Their shit is way better documented than just about anything else in Open Source, including most things Linux. Peter ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
On 12/18/2009 4:12 PM, Peter Serwe wrote: You can't patch the Berkeley Packet Filter into Linux. Linux kernel doesn't support it. and... Despite a cacophonous chorus of replies directing you to the right tool for the job, you insist on sticking with Linux. If you want to use the wrong tool for the job, by all means, use ipset/iptables - have a great time with it. When it doesn't give you the performance you want, then you will probably go buy something else. Or wrap it up using Shorewall or one of the other meta tools that manage the iptable chains for you. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
On Friday 18 December 2009 16:05, Peter Serwe wrote: I don't know jack about IPSet, but I know enabling or disabling hosts in bare stock PF without the gui in front of it is about as easy as it gets. IPTALES is the same; iptables -A [INPUT/FORWARD] -d ip address -j [REJECT/DROP] The PF configuration file syntax was designed from the ground up to be sane, unlike iptables, which typically needs some decent sysadmin scripting or using fwbuilder to make any good sense of. I beg to differ here. IPTABLES is not that hard when you understand it. Like anything else, once you know what you are doing it isn't that hard. And no, I have never used any GUI program to configure my firewalls. There is no finer opensource firewall product on the market, in terms of performance, ease of configuration and use, and other issues. This is all subjective to the user. I would say that PF is a nightmare and IPTABLES is easier to use. If you're not opposed to vi, for what you're looking to accomplish, moving to BSD and pf is a no-brainer. PF can definitely handle a list of 500 hosts and anything else you've mentioned. It's absolutely capable, easier, and in general, for anything that involves packet filtering at all, about as good as it gets. Again this is all subjective to the user. -- Regards Robert Linux User #296285 http://counter.li.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
The syntax is not a problem. The problem is in the performance. I suppose that if I configure OpenBSD to process the in/out packets only to layer 2 the performance will be much more than linux with iptables. I don't know jack about IPSet, but I know enabling or disabling hosts in bare stock PF without the gui in front of it is about as easy as it gets. IPTALES is the same; iptables -A [INPUT/FORWARD] -d -j [REJECT/DROP] The PF configuration file syntax was designed from the ground up to be sane, unlike iptables, which typically needs some decent sysadmin scripting or using fwbuilder to make any good sense of. I beg to differ here. IPTABLES is not that hard when you understand it. Like anything else, once you know what you are doing it isn't that hard. And no, I have never used any GUI program to configure my firewalls. There is no finer opensource firewall product on the market, in terms of performance, ease of configuration and use, and other issues. This is all subjective to the user. I would say that PF is a nightmare and IPTABLES is easier to use. If you're not opposed to vi, for what you're looking to accomplish, moving to BSD and pf is a no-brainer. PF can definitely handle a list of 500 hosts and anything else you've mentioned. It's absolutely capable, easier, and in general, for anything that involves packet filtering at all, about as good as it gets. Again this is all subjective to the user. -- Regards Robert Linux User #296285 http://counter.li.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimizing CentOS for gigabit firewall
So basically, you're saying you'd want to allow or disallow traffic based on mac address? Seems like you could put mac filters on a number switches, Cisco being the most easily documented by Mr. Google. Be a lot faster than any kernel, and a total waste of BSD. If you can do it on Linux via some other mechanism, go for it. The fact is, PF will do line rate layer 3 packet filtering if you've got the hardware to support it. Try and and see. Peter On Fri, Dec 18, 2009 at 10:49 PM, sadas sadas mai...@abv.bg wrote: The syntax is not a problem. The problem is in the performance. I suppose that if I configure OpenBSD to process the in/out packets only to layer 2 the performance will be much more than linux with iptables. I don't know jack about IPSet, but I know enabling or disabling hosts in bare stock PF without the gui in front of it is about as easy as it gets. IPTALES is the same; iptables -A [INPUT/FORWARD] -d -j [REJECT/DROP] The PF configuration file syntax was designed from the ground up to be sane, unlike iptables, which typically needs some decent sysadmin scripting or using fwbuilder to make any good sense of. I beg to differ here. IPTABLES is not that hard when you understand it. Like anything else, once you know what you are doing it isn't that hard. And no, I have never used any GUI program to configure my firewalls. There is no finer opensource firewall product on the market, in terms of performance, ease of configuration and use, and other issues. This is all subjective to the user. I would say that PF is a nightmare and IPTABLES is easier to use. If you're not opposed to vi, for what you're looking to accomplish, moving to BSD and pf is a no-brainer. PF can definitely handle a list of 500 hosts and anything else you've mentioned. It's absolutely capable, easier, and in general, for anything that involves packet filtering at all, about as good as it gets. Again this is all subjective to the user. -- Regards Robert Linux User #296285 http://counter.li.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Peter Serwe http://truthlightway.blogspot.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos