firewall is very slow, something's wrong

[Florin Andrei]

Dual-homed firewall, web server on the private network, firewall is 
doing 1:1 NAT for the web server to the public interface of the 
firewall. em0 is the public interface, em1 is the private one.

In the exact same setup (same hardware even) I am comparing Linux and 
OpenBSD for a firewall. Installed Linux on a hard-disc, OpenBSD on 
another disc, and I'm just swapping discs while I'm testing.
All firewall rules are written as stateless as possible - I don't need 
stateful filtering, the setup is very simple (allow HTTP inbound, allow 
a few ICMP types, and that's it).

With Linux, I achieve gigabit transfer speeds through the firewall 
(saturating the network ports), but the firewall refuses to let any new 
connection through when I flood it with a bunch of small UDP packets 
with random source addresses.

I expected OpenBSD 4.1 to do better. But the thing is, even without the 
UDP flood, the OpenBSD firewall is very slow. I am downloading a huge 
file through it, via HTTP, and all I get is 4 Mbyte / sec. With Linux I 
get 112 Mbyte / sec.

Something's wrong. Or I'm doing something wrong.

The hardware is AMD64, Tyan Transport, 2 CPUs 2 cores each. I am using 
the SMP kernel. The network card is Intel Pro/1000 PCI Express 4x dual 
gigabit port, it carries both em0 and em1.

=========================

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33192
        groups: lo
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
fxp0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:e0:81:4a:0a:7f
        media: Ethernet autoselect (none)
        status: no carrier
bge0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:e0:81:4a:0a:a8
        media: Ethernet autoselect (none)
        status: no carrier
bge1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:e0:81:4a:0a:a9
        media: Ethernet autoselect (none)
        status: no carrier
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:15:17:37:e9:fa
        groups: egress
        media: Ethernet autoselect (1000baseT full-duplex)
        status: active
        inet 10.123.0.10 netmask 0xffffff00 broadcast 10.123.0.255
        inet6 fe80::215:17ff:fe37:e9fa%em0 prefixlen 64 scopeid 0x4
        inet 10.123.0.253 netmask 0xffffffff broadcast 10.123.0.253
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:15:17:37:e9:fb
        media: Ethernet autoselect (1000baseT full-duplex)
        status: active
        inet 10.123.1.10 netmask 0xffffff00 broadcast 10.123.1.255
        inet6 fe80::215:17ff:fe37:e9fb%em1 prefixlen 64 scopeid 0x5
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33192
enc0: flags=0<> mtu 1536

==================================

TRANSLATION RULES:
binat on em0 inet from 10.123.1.253 to any -> 10.123.0.253

FILTER RULES:
pass quick on em1 all no state
pass in quick on em0 inet proto tcp from any to 10.123.1.253 port = www 
no state
pass in quick on em0 inet proto icmp from any to 10.123.1.253 icmp-type 
echoreq no state
pass in quick on em0 inet proto icmp from any to 10.123.1.253 icmp-type 
echorep no state
pass in quick on em0 inet proto icmp from any to 10.123.1.253 icmp-type 
unreach no state
pass in quick on em0 inet proto icmp from any to 10.123.1.253 icmp-type 
paramprob no state
pass in quick on em0 inet proto icmp from any to 10.123.1.253 icmp-type 
trace no state
pass in quick on em0 inet proto icmp from any to 10.123.1.253 icmp-type 
timex no state
pass in quick on em0 inet from any to 10.123.0.10 no state
block drop in quick all
pass out all no state
No queue in use

STATES:
all tcp 10.123.1.253:80 <- 10.123.0.253:80 <- 10.123.0.251:47108 
ESTABLISHED:ESTABLISHED

INFO:
Status: Enabled for 0 days 00:09:49           Debug: Urgent

State Table                          Total             Rate
  current entries                        1
  searches                         3809717         6468.1/s
  inserts                                6            0.0/s
  removals                               5            0.0/s
Counters
  match                            1812847         3077.8/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                        116169          197.2/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s

TIMEOUTS:
tcp.first                    30s
tcp.opening                   5s
tcp.established           18000s
tcp.closing                  60s
tcp.finwait                  30s
tcp.closed                   30s
tcp.tsdiff                   10s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start             6000 states
adaptive.end              12000 states
src.track                     0s

LIMITS:
states        hard limit    10000
src-nodes     hard limit    10000
frags         hard limit     5000
tables        hard limit     1000
table-entries hard limit   100000

OS FINGERPRINTS:
696 fingerprints loaded


--
Florin Andrei

http://florin.myip.org/