Re: [Shorewall-users] Firewall optimization -- tweak as-written rules and/or depend on OPTIMIZE= ?

Mon, 11 Aug 2014 15:10:30 -0700 

On 8/11/2014 1:32 PM, Tom Eastep wrote:
> On 8/11/2014 10:02 AM, PGNd wrote:
>> Given the simple /rules example
>>
>>  #ACTION  SOURCE  DEST  PROTO  DEST
>>  #                             PORT
>>  ACCEPT   net    $FW    tcp    1234
>>  ACCEPT   net    $FW    udp    5678
>>
>> Is there additional/further Shorewall 'shorthand' that should
>> 'better' consolidate. Something equivalent to,
>>
>>  ACCEPT   net    $FW    tcp:1234,udp:5678
>>
>> perhaps ?
>>
>> My understanding suggests that it may not be worth worrying about, as
>> the written rules might only effect COMPILE time.
>>
>> The RUNTIME performance of the firewall would be dictated by the
>> OPTIMIZE level. In my case I've set it in shorewall.conf to
>>
>> OPTIMIZE=All
>>
>> How dependent is runtime performance on config file 'style'? Just
>> ignore it, and depend on the OPTIMIZEr to do its best?
> 
> There are a couple of shortcomings of Shorewall's current optimization:
> 
> a) It can't reorder rules based on frequency of match.
> b) It doesn't detect all cases where adjacent rules could be
>    optimized by creating a separate chain.

One more note about Shorewall optimization: Optimize level 8 is
expensive at compile time and generally results in a *smaller* but *no
more efficient* ruleset. Given that iptables crashes with rulesets
larger than around 64k rules, this optimization is best for those with
very large Shorewall rulesets. You can estimate the size of your ruleset by:

        shorewall check -r | wc -l

Example:

With Optimize Level 8 (OPTIMIZE=All):

        root@gateway:~# time shorewall check -r | wc -l
        1160

        real    0m2.240s
        user    0m1.392s
        sys     0m0.392s
        root@gateway:~#

Without Optimize Level 8 (OPTIMIZE=23):

        root@gateway:~# time shorewall check -r | wc -l
        1367

        real    0m2.115s
        user    0m1.340s
        sys     0m0.344s
        root@gateway:~#

-Tom


-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to