[Shorewall-users] Shorewall performance

Andrew Suffield Tue, 14 Nov 2006 14:28:45 -0800

I have a couple of firewalls that are rather complicated - one has 21
interfaces, and the other has about 50 (there's some heavy use of
802.1q, they only have half a dozen network cards). They work okay,
but - compiling the rules takes a long time even on the faster
servers, and restarting shorewall-lite takes between 5 and 10 minutes
(during which time, only the routestopped stuff will work).


It would be nice if the compiler was faster (although the lesson here
might be "don't write complicated software in sh"), but it's the
network outage that's the really awkward part. As far as I can tell,
the main thing that slows it down there is the time taken to spawn
iptables about 9000 times (estimate based on the final state, assuming
one call per chain and one per rule; actual figure is probably
higher). I haven't analysed it carefully to see whether it's the
shell, the dynamic linker, or the kernel that takes most of the time,
but my bet would be on the linker.

So it seems like there's two ways to tackle this problem. The first is
to dramatically reduce the number of iptables rules used by the
firewall by restructuring it differently - I'm not sure if this is
possible, so I'm attaching the relevant parts of one of them in case
anybody has any ideas (the other is much the same, only bigger). The
other way is to modify shorewall to use a different approach to
installing rules. It seems to me that iptables-restore could be
(ab)used to perform batch installations of many rules at once. I think
that's either a really good idea or a really bad one, but I'm not sure
which.

(The config files have been minimally pruned for customer privacy
reasons - mostly comments, and a few extra ACCEPT rules, nothing
significant. All the files not included are the defaults.)

###############################################################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
rogue
site

mon
mng
serv
dev

nec
tag
woff
aoff

wfl1
wfl2
wfl3
wfl4
wfl5
wfl6
wfl7
wfl8
wfl9
wfl10
wfl11
wfl12
wfl13
wfl14
wfl15
wfl16
wfl17
wfl18
wfl19
wfl20
wfl21
wfl22
wfl23
wfl24
wfl25
wfl26
wfl27
wfd
wbd
wdayc

afl1
afl2
afl3
afl4
afl5
afl6
afl7
afl8
afl9
afl10
afl11
afl12
afl13
afl14
afl15
afl16

vpn
link
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

###############################################################################
#ZONE   INTERFACE       BROADCAST       OPTIONS
link    eth2.102        detect
aoff    eth2.201        detect          dhcp
serv    eth2.100        detect          dhcp
dev     eth2.202        detect
afl1    eth2.31         detect          dhcp
afl2    eth2.32         detect          dhcp
afl3    eth2.33         detect          dhcp
afl4    eth2.34         detect          dhcp
afl5    eth2.35         detect          dhcp
afl6    eth2.36         detect          dhcp
afl7    eth2.37         detect          dhcp
afl8    eth2.38         detect          dhcp
afl9    eth2.39         detect          dhcp
afl10   eth2.40         detect          dhcp
afl11   eth2.41         detect          dhcp
afl12   eth2.42         detect          dhcp
afl13   eth2.43         detect          dhcp
afl14   eth2.44         detect          dhcp
afl15   eth2.45         detect          dhcp
afl16   eth2.46         detect          dhcp
rogue   eth2.1          detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

###############################################################################
#ZONE   HOST(S)                                 OPTIONS
site    eth2.100:10.1.0.0/24
mon     eth2.201:10.1.201.11

# For practical purposes, we'll classify these as part of the management zone
mng     eth2.102:10.1.102.11
mng     eth2.102:10.1.102.12

woff    eth2.102:10.1.200.0/24
nec     eth2.102:10.1.106.0/25
tag     eth2.102:10.1.106.128/25
vpn     eth2.102:10.1.105.0/24
mng     eth2.102:10.1.101.0/24

wfl1    eth2.102:10.1.1.0/24
wfl2    eth2.102:10.1.2.0/24
wfl3    eth2.102:10.1.3.0/24
wfl4    eth2.102:10.1.4.0/24
wfl5    eth2.102:10.1.5.0/24
wfl6    eth2.102:10.1.6.0/24
wfl7    eth2.102:10.1.7.0/24
wfl8    eth2.102:10.1.8.0/24
wfl9    eth2.102:10.1.9.0/24
wfl10   eth2.102:10.1.10.0/24
wfl11   eth2.102:10.1.11.0/24
wfl12   eth2.102:10.1.12.0/24
wfl13   eth2.102:10.1.13.0/24
wfl14   eth2.102:10.1.14.0/24
wfl15   eth2.102:10.1.15.0/24
wfl16   eth2.102:10.1.16.0/24
wfl17   eth2.102:10.1.17.0/24
wfl18   eth2.102:10.1.18.0/24
wfl19   eth2.102:10.1.19.0/24
wfl20   eth2.102:10.1.20.0/24
wfl21   eth2.102:10.1.21.0/24
wfl22   eth2.102:10.1.22.0/24
wfl23   eth2.102:10.1.23.0/24
wfl24   eth2.102:10.1.24.0/24
wfl25   eth2.102:10.1.25.0/24
wfl26   eth2.102:10.1.26.0/24
wfl27   eth2.102:10.1.27.0/24

wfd     eth2.102:10.1.50.0/24
wbd     eth2.102:10.1.51.0/24
wdayc   eth2.102:10.1.52.0/24

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

#############################################################################################################
#ACTION SOURCE          DEST            PROTO   DEST    SOURCE          
ORIGINAL        RATE            USER/
#                                               PORT(S) PORT(S)         DEST    
        LIMIT           GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW

# Reject all new tcp packets that aren't SYNs - these are junk, or worms
rejNotSyn:info link all tcp

ACCEPT fw link 89
ACCEPT link fw 89

Ping/ACCEPT fw all
Ping/ACCEPT serv all
Ping/ACCEPT woff fw
Ping/ACCEPT all serv
Ping/ACCEPT all fw
Ping/ACCEPT all link
Ping/ACCEPT link serv:195.80.27.218

# Site DNS service
DNS/ACCEPT all site:10.1.0.1
DNS/ACCEPT serv:10.1.100.2 link

# SSH - pretty permissive here
SSH/ACCEPT all link
SSH/ACCEPT fw all
SSH/ACCEPT all fw
SSH/ACCEPT woff serv
SSH/ACCEPT aoff serv

# Outbound mail access
IMAPS/ACCEPT woff link

# OpenVPN tunnels
ACCEPT all fw tcp openvpn
ACCEPT all fw udp openvpn

# Internet-accessible services
IMAPS/ACCEPT all serv:10.1.100.2
Web/ACCEPT   all serv:10.1.100.2
SMTP/ACCEPT  all serv:10.1.100.2
DNS/ACCEPT   all serv:10.1.100.2
NTP/ACCEPT   all serv:10.1.100.2

Web/ACCEPT woff serv:10.1.100.5
Web/ACCEPT aoff serv:10.1.100.5
ACCEPT woff serv:10.1.100.6 tcp 3050,5900
ACCEPT aoff serv:10.1.100.6 tcp 3050,5900
SMB/ACCEPT woff serv
SMB/ACCEPT aoff serv
SMB/ACCEPT serv woff
SMB/ACCEPT serv aoff

# Systems management
Telnet/ACCEPT woff mng
Web/ACCEPT    woff mng
Telnet/ACCEPT aoff mng
Web/ACCEPT    aoff mng
Telnet/ACCEPT fw mng
Web/ACCEPT    fw mng
ACCEPT        mng serv udp tftp

# For the servers
Web/ACCEPT   serv:10.1.100.2 link
FTP/ACCEPT   serv:10.1.100.2 link
NTP/ACCEPT   serv:10.1.100.2 link
SMTP/ACCEPT  serv:10.1.100.2 link
Web/ACCEPT   serv:10.1.100.2 mon
Web/ACCEPT   fw all
SMB/ACCEPT   fw all
SMB/ACCEPT   all fw

# Site services
NTP/ACCEPT all site:10.1.0.2

# Web proxy access
ACCEPT all serv:10.1.100.2 tcp http,webcache

ACCEPT site:10.1.0.3 nec tcp 5060,5070,1720,1730
ACCEPT site:10.1.0.3 nec udp 5060,5070
ACCEPT site:10.1.0.3 nec udp 
8000:8020,10020:10040,10100,4000,1720,3000,3001,1000
ACCEPT nec site:10.1.0.3 tcp 5060,5070,1720,1730
ACCEPT nec site:10.1.0.3 udp 5060,5070
ACCEPT nec site:10.1.0.3 udp 
8000:8020,10020:10040,10100,4000,1720,3000,3001,1000
ACCEPT woff nec tcp 8,8000
ACCEPT woff nec tcp 5060,5070
ACCEPT woff nec udp 5060,5070
ACCEPT woff nec udp 
8000:8020,10020:10040,10100,4000,1720,3000,3001,1000,3456,3458
ACCEPT nec woff udp 5060,5070
ACCEPT nec woff udp 
8000:8020,10020:10040,10100,4000,1720,3000,3001,1000,3456,3458
ACCEPT nec site:10.1.0.3 all
ACCEPT site:10.1.0.3 nec all
ACCEPT woff site:10.1.0.3 udp 5060,5070,8000:8020,10020:10040
ACCEPT woff mon:10.1.200.11 udp 5060,5070,8000:8020,10020:10040

# Tag control stuff
SSH/ACCEPT woff mon
Web/ACCEPT woff mon
ACCEPT woff mon udp 12001
ACCEPT mon wfl1:10.1.1.2 udp tftp,12000
ACCEPT mon wfl2:10.1.2.2 udp tftp,12000
ACCEPT mon wfl3:10.1.3.2 udp tftp,12000
ACCEPT mon wfl4:10.1.4.2 udp tftp,12000
ACCEPT mon wfl5:10.1.5.2 udp tftp,12000
ACCEPT mon wfl6:10.1.6.2 udp tftp,12000
ACCEPT mon wfl7:10.1.7.2 udp tftp,12000
ACCEPT mon wfl8:10.1.8.2 udp tftp,12000
ACCEPT mon wfl9:10.1.9.2 udp tftp,12000
ACCEPT mon wfl10:10.1.10.2 udp tftp,12000
ACCEPT mon wfl11:10.1.11.2 udp tftp,12000
ACCEPT mon wfl12:10.1.12.2 udp tftp,12000
ACCEPT mon wfl13:10.1.13.2 udp tftp,12000
ACCEPT mon wfl14:10.1.14.2 udp tftp,12000
ACCEPT mon wfl15:10.1.15.2 udp tftp,12000
ACCEPT mon wfl16:10.1.16.2 udp tftp,12000
ACCEPT mon wfl17:10.1.17.2 udp tftp,12000
ACCEPT mon wfl18:10.1.18.2 udp tftp,12000
ACCEPT mon wfl19:10.1.19.2 udp tftp,12000
ACCEPT mon wfl20:10.1.20.2 udp tftp,12000
ACCEPT mon wfl21:10.1.21.2 udp tftp,12000
ACCEPT mon wfl22:10.1.22.2 udp tftp,12000
ACCEPT mon wfl23:10.1.23.2 udp tftp,12000
ACCEPT mon wfl24:10.1.24.2 udp tftp,12000
ACCEPT mon wfl25:10.1.25.2 udp tftp,12000
ACCEPT mon wfl26:10.1.26.2 udp tftp,12000
ACCEPT mon wfl27:10.1.27.2 udp tftp,12000
ACCEPT mon wfd:10.1.50.2 udp tftp,12000
ACCEPT mon wbd:10.1.51.2 udp tftp,12000
ACCEPT mon wdayc:10.1.52.2 udp tftp,12000
ACCEPT mon afl1:10.1.1.2 udp tftp,12000
ACCEPT mon afl2:10.1.2.2 udp tftp,12000
ACCEPT mon afl3:10.1.3.2 udp tftp,12000
ACCEPT mon afl4:10.1.4.2 udp tftp,12000
ACCEPT mon afl5:10.1.5.2 udp tftp,12000
ACCEPT mon afl6:10.1.6.2 udp tftp,12000
ACCEPT mon afl7:10.1.7.2 udp tftp,12000
ACCEPT mon afl8:10.1.8.2 udp tftp,12000
ACCEPT mon afl9:10.1.9.2 udp tftp,12000
ACCEPT mon afl10:10.1.10.2 udp tftp,12000
ACCEPT mon afl11:10.1.11.2 udp tftp,12000
ACCEPT mon afl12:10.1.12.2 udp tftp,12000
ACCEPT mon afl13:10.1.13.2 udp tftp,12000
ACCEPT mon afl14:10.1.14.2 udp tftp,12000
ACCEPT mon afl15:10.1.15.2 udp tftp,12000
ACCEPT mon afl16:10.1.16.2 udp tftp,12000

ACCEPT wfl1:10.1.1.2 mon udp tftp,12000
ACCEPT wfl2:10.1.2.2 mon udp tftp,12000
ACCEPT wfl3:10.1.3.2 mon udp tftp,12000
ACCEPT wfl4:10.1.4.2 mon udp tftp,12000
ACCEPT wfl5:10.1.5.2 mon udp tftp,12000
ACCEPT wfl6:10.1.6.2 mon udp tftp,12000
ACCEPT wfl7:10.1.7.2 mon udp tftp,12000
ACCEPT wfl8:10.1.8.2 mon udp tftp,12000
ACCEPT wfl9:10.1.9.2 mon udp tftp,12000
ACCEPT wfl10:10.1.10.2 mon udp tftp,12000
ACCEPT wfl11:10.1.11.2 mon udp tftp,12000
ACCEPT wfl12:10.1.12.2 mon udp tftp,12000
ACCEPT wfl13:10.1.13.2 mon udp tftp,12000
ACCEPT wfl14:10.1.14.2 mon udp tftp,12000
ACCEPT wfl15:10.1.15.2 mon udp tftp,12000
ACCEPT wfl16:10.1.16.2 mon udp tftp,12000
ACCEPT wfl17:10.1.17.2 mon udp tftp,12000
ACCEPT wfl18:10.1.18.2 mon udp tftp,12000
ACCEPT wfl19:10.1.19.2 mon udp tftp,12000
ACCEPT wfl20:10.1.20.2 mon udp tftp,12000
ACCEPT wfl21:10.1.21.2 mon udp tftp,12000
ACCEPT wfl22:10.1.22.2 mon udp tftp,12000
ACCEPT wfl23:10.1.23.2 mon udp tftp,12000
ACCEPT wfl24:10.1.24.2 mon udp tftp,12000
ACCEPT wfl25:10.1.25.2 mon udp tftp,12000
ACCEPT wfl26:10.1.26.2 mon udp tftp,12000
ACCEPT wfl27:10.1.27.2 mon udp tftp,12000
ACCEPT wfd:10.1.50.2 mon udp tftp,12000
ACCEPT wbd:10.1.51.2 mon udp tftp,12000
ACCEPT wdayc:10.1.52.2 mon udp tftp,12000
ACCEPT afl1:10.1.1.2 mon udp tftp,12000
ACCEPT afl2:10.1.2.2 mon udp tftp,12000
ACCEPT afl3:10.1.3.2 mon udp tftp,12000
ACCEPT afl4:10.1.4.2 mon udp tftp,12000
ACCEPT afl5:10.1.5.2 mon udp tftp,12000
ACCEPT afl6:10.1.6.2 mon udp tftp,12000
ACCEPT afl7:10.1.7.2 mon udp tftp,12000
ACCEPT afl8:10.1.8.2 mon udp tftp,12000
ACCEPT afl9:10.1.9.2 mon udp tftp,12000
ACCEPT afl10:10.1.10.2 mon udp tftp,12000
ACCEPT afl11:10.1.11.2 mon udp tftp,12000
ACCEPT afl12:10.1.12.2 mon udp tftp,12000
ACCEPT afl13:10.1.13.2 mon udp tftp,12000
ACCEPT afl14:10.1.14.2 mon udp tftp,12000
ACCEPT afl15:10.1.15.2 mon udp tftp,12000
ACCEPT afl16:10.1.16.2 mon udp tftp,12000

Web/ACCEPT mon wfl1:10.1.1.2
Web/ACCEPT mon wfl2:10.1.2.2
Web/ACCEPT mon wfl3:10.1.3.2
Web/ACCEPT mon wfl4:10.1.4.2
Web/ACCEPT mon wfl5:10.1.5.2
Web/ACCEPT mon wfl6:10.1.6.2
Web/ACCEPT mon wfl7:10.1.7.2
Web/ACCEPT mon wfl8:10.1.8.2
Web/ACCEPT mon wfl9:10.1.9.2
Web/ACCEPT mon wfl10:10.1.10.2
Web/ACCEPT mon wfl11:10.1.11.2
Web/ACCEPT mon wfl12:10.1.12.2
Web/ACCEPT mon wfl13:10.1.13.2
Web/ACCEPT mon wfl14:10.1.14.2
Web/ACCEPT mon wfl15:10.1.15.2
Web/ACCEPT mon wfl16:10.1.16.2
Web/ACCEPT mon wfl17:10.1.17.2
Web/ACCEPT mon wfl18:10.1.18.2
Web/ACCEPT mon wfl19:10.1.19.2
Web/ACCEPT mon wfl20:10.1.20.2
Web/ACCEPT mon wfl21:10.1.21.2
Web/ACCEPT mon wfl22:10.1.22.2
Web/ACCEPT mon wfl23:10.1.23.2
Web/ACCEPT mon wfl24:10.1.24.2
Web/ACCEPT mon wfl25:10.1.25.2
Web/ACCEPT mon wfl26:10.1.26.2
Web/ACCEPT mon wfl27:10.1.27.2
Web/ACCEPT mon wfd:10.1.50.2
Web/ACCEPT mon wbd:10.1.51.2
Web/ACCEPT mon wdayc:10.1.52.2
Web/ACCEPT mon afl1:10.1.1.2
Web/ACCEPT mon afl2:10.1.2.2
Web/ACCEPT mon afl3:10.1.3.2
Web/ACCEPT mon afl4:10.1.4.2
Web/ACCEPT mon afl5:10.1.5.2
Web/ACCEPT mon afl6:10.1.6.2
Web/ACCEPT mon afl7:10.1.7.2
Web/ACCEPT mon afl8:10.1.8.2
Web/ACCEPT mon afl9:10.1.9.2
Web/ACCEPT mon afl10:10.1.10.2
Web/ACCEPT mon afl11:10.1.11.2
Web/ACCEPT mon afl12:10.1.12.2
Web/ACCEPT mon afl13:10.1.13.2
Web/ACCEPT mon afl14:10.1.14.2
Web/ACCEPT mon afl15:10.1.15.2
Web/ACCEPT mon afl16:10.1.16.2

Syslog/ACCEPT all mon

ACCEPT all serv:10.1.100.5 udp 12000
ACCEPT serv:10.1.100.5 all udp 12000
ACCEPT woff serv:10.1.100.5 tcp 12001
Syslog/ACCEPT all serv:10.1.100.5

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

###############################################################################
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
fw              all             ACCEPT
dev             all             ACCEPT
all             all             REJECT
#LAST LINE -- DO NOT REMOVE

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Shorewall performance

Reply via email to