As I don't use group/head right now maybe I'll give that a try. I also forgot to mention that I have about 28 "count" rules which I use to get various stats (bandwidth, state, packet) and graph them with mrtg. Could they be slowing me down somehow?
Marcin -----Original Message----- From: Erik Fichtner [mailto:[EMAIL PROTECTED] Sent: August 9, 2004 1:55 PM To: Marcin Pacyna Cc: IPFilter Mailing List Subject: Re: IPFilter performance On Mon, Aug 09, 2004 at 01:31:38PM -0400, Marcin Pacyna wrote: > *This setup is running on a PIII-500MHz, 256MB RAM, with 2 NICs (fxp's). > *There are 13 servers behind the firewall. > *The firewall is passing about 250 KB/s out and about 30 KB/s in, with > spikes up to 500 KB/s out and 90 KB/s in. > *I'm averaging about 3000 states at any one time with about 500 new states > created per minute. > *I'm also passing about 600 packets per second. > *I have 166 rules and I don't use "head"/"group" > I'm having problems where mid-day I'm staring to get icmp packet loss (up to > 50% for couple of minutes) Odd. I have a bunch of similar systems (p3-550's, 256mb, dual fxps, bridging, on obsd2.9) . I use head/group, with ~30 heads. I don't pass ICMP (other than PMTU), and they don't get upset and start bogging down until about 45-50Mb/sec on diverse http traffic at a churn of ~6000 states/sec. I wouldn't expect your ruleset size to make that much difference, but who knows. According to all the other datapoints given, your firewall should be totally idle. Perhaps it's getting bored? ;) -- Erik Fichtner; Unix Ronin
