Re: [Shorewall-users] Shorewall performance

Tom Eastep Tue, 14 Nov 2006 18:12:30 -0800

Andrew Suffield wrote:

> 
> So it seems like there's two ways to tackle this problem. The first is
> to dramatically reduce the number of iptables rules used by the
> firewall by restructuring it differently - I'm not sure if this is
> possible, so I'm attaching the relevant parts of one of them in case
> anybody has any ideas (the other is much the same, only bigger)


I've attached an updated configuration which is similar. It requires
that you manually configure the broadcast addresses in the interfaces
file (I've just put "-") but it compiles on my not-so-new laptop in 10
seconds.

> The other way is to modify shorewall to use a different approach to
> installing rules. It seems to me that iptables-restore could be
> (ab)used to perform batch installations of many rules at once. I think
> that's either a really good idea or a really bad one, but I'm not sure
> which.

That change is almost as big as the change from 3.0 -> 3.2. I've looked
at it but I'm out of energy for this type of massive change at the moment.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

###############################################################################
#ZONE   HOST(S)                                 OPTIONS
site    eth2.100:10.1.0.0/24
mon     eth2.201:10.1.201.11

# For practical purposes, we'll classify these as part of the management zone
mng     eth2.102:10.1.102.11
mng     eth2.102:10.1.102.12

woff    eth2.102:10.1.200.0/24
nec     eth2.102:10.1.106.0/25
tag     eth2.102:10.1.106.128/25
vpn     eth2.102:10.1.105.0/24
mng     eth2.102:10.1.101.0/24

wfl    eth2.102:0.0.0.0/0

wfd     eth2.102:10.1.50.0/24
wbd     eth2.102:10.1.51.0/24
wdayc   eth2.102:10.1.52.0/24

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

###############################################################################
#ZONE   INTERFACE       BROADCAST       OPTIONS
link    eth2.102        detect
aoff    eth2.201        detect          dhcp
serv    eth2.100        detect          dhcp
dev     eth2.202        detect
afl     eth2.3+         -               dhcp
afl     eth2.4+         -               dhcp
rogue   eth2.1          detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

###############################################################################
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
fw              all             ACCEPT
dev             all             ACCEPT
all             all             REJECT
#LAST LINE -- DO NOT REMOVE

#############################################################################################################
#ACTION SOURCE          DEST            PROTO   DEST    SOURCE          
ORIGINAL        RATE            USER/
#                                               PORT(S) PORT(S)         DEST    
        LIMIT           GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW

# Reject all new tcp packets that aren't SYNs - these are junk, or worms
rejNotSyn:info link all tcp

ACCEPT fw link 89
ACCEPT link fw 89

Ping/ACCEPT fw all
Ping/ACCEPT serv all
Ping/ACCEPT woff fw
Ping/ACCEPT all serv
Ping/ACCEPT all fw
Ping/ACCEPT all link
Ping/ACCEPT link serv:195.80.27.218

# Site DNS service
DNS/ACCEPT all site:10.1.0.1
DNS/ACCEPT serv:10.1.100.2 link

# SSH - pretty permissive here
SSH/ACCEPT all link
SSH/ACCEPT fw all
SSH/ACCEPT all fw
SSH/ACCEPT woff serv
SSH/ACCEPT aoff serv

# Outbound mail access
IMAPS/ACCEPT woff link

# OpenVPN tunnels
ACCEPT all fw tcp openvpn
ACCEPT all fw udp openvpn

# Internet-accessible services
IMAPS/ACCEPT all serv:10.1.100.2
Web/ACCEPT   all serv:10.1.100.2
SMTP/ACCEPT  all serv:10.1.100.2
DNS/ACCEPT   all serv:10.1.100.2
NTP/ACCEPT   all serv:10.1.100.2

Web/ACCEPT woff serv:10.1.100.5
Web/ACCEPT aoff serv:10.1.100.5
ACCEPT woff serv:10.1.100.6 tcp 3050,5900
ACCEPT aoff serv:10.1.100.6 tcp 3050,5900
SMB/ACCEPT woff serv
SMB/ACCEPT aoff serv
SMB/ACCEPT serv woff
SMB/ACCEPT serv aoff

# Systems management
Telnet/ACCEPT woff mng
Web/ACCEPT    woff mng
Telnet/ACCEPT aoff mng
Web/ACCEPT    aoff mng
Telnet/ACCEPT fw mng
Web/ACCEPT    fw mng
ACCEPT        mng serv udp tftp

# For the servers
Web/ACCEPT   serv:10.1.100.2 link
FTP/ACCEPT   serv:10.1.100.2 link
NTP/ACCEPT   serv:10.1.100.2 link
SMTP/ACCEPT  serv:10.1.100.2 link
Web/ACCEPT   serv:10.1.100.2 mon
Web/ACCEPT   fw all
SMB/ACCEPT   fw all
SMB/ACCEPT   all fw

# Site services
NTP/ACCEPT all site:10.1.0.2

# Web proxy access
ACCEPT all serv:10.1.100.2 tcp http,webcache

ACCEPT site:10.1.0.3 nec tcp 5060,5070,1720,1730
ACCEPT site:10.1.0.3 nec udp 5060,5070
ACCEPT site:10.1.0.3 nec udp 
8000:8020,10020:10040,10100,4000,1720,3000,3001,1000
ACCEPT nec site:10.1.0.3 tcp 5060,5070,1720,1730
ACCEPT nec site:10.1.0.3 udp 5060,5070
ACCEPT nec site:10.1.0.3 udp 
8000:8020,10020:10040,10100,4000,1720,3000,3001,1000
ACCEPT woff nec tcp 8,8000
ACCEPT woff nec tcp 5060,5070
ACCEPT woff nec udp 5060,5070
ACCEPT woff nec udp 
8000:8020,10020:10040,10100,4000,1720,3000,3001,1000,3456,3458
ACCEPT nec woff udp 5060,5070
ACCEPT nec woff udp 
8000:8020,10020:10040,10100,4000,1720,3000,3001,1000,3456,3458
ACCEPT nec site:10.1.0.3 all
ACCEPT site:10.1.0.3 nec all
ACCEPT woff site:10.1.0.3 udp 5060,5070,8000:8020,10020:10040
ACCEPT woff mon:10.1.200.11 udp 5060,5070,8000:8020,10020:10040

# Tag control stuff
SSH/ACCEPT woff mon
Web/ACCEPT woff mon
ACCEPT woff mon udp 12001
ACCEPT mon wfl1:10.1.1.2 udp tftp,12000
ACCEPT mon wfl2:10.1.2.2 udp tftp,12000
ACCEPT mon wfl3:10.1.3.2 udp tftp,12000
ACCEPT mon wfl4:10.1.4.2 udp tftp,12000
ACCEPT mon wfl5:10.1.5.2 udp tftp,12000
ACCEPT mon wfl6:10.1.6.2 udp tftp,12000
ACCEPT mon wfl7:10.1.7.2 udp tftp,12000
ACCEPT mon wfl8:10.1.8.2 udp tftp,12000
ACCEPT mon wfl9:10.1.9.2 udp tftp,12000
ACCEPT mon wfl10:10.1.10.2 udp tftp,12000
ACCEPT mon wfl11:10.1.11.2 udp tftp,12000
ACCEPT mon wfl12:10.1.12.2 udp tftp,12000
ACCEPT mon wfl13:10.1.13.2 udp tftp,12000
ACCEPT mon wfl14:10.1.14.2 udp tftp,12000
ACCEPT mon wfl15:10.1.15.2 udp tftp,12000
ACCEPT mon wfl16:10.1.16.2 udp tftp,12000
ACCEPT mon wfl17:10.1.17.2 udp tftp,12000
ACCEPT mon wfl18:10.1.18.2 udp tftp,12000
ACCEPT mon wfl19:10.1.19.2 udp tftp,12000
ACCEPT mon wfl20:10.1.20.2 udp tftp,12000
ACCEPT mon wfl21:10.1.21.2 udp tftp,12000
ACCEPT mon wfl22:10.1.22.2 udp tftp,12000
ACCEPT mon wfl23:10.1.23.2 udp tftp,12000
ACCEPT mon wfl24:10.1.24.2 udp tftp,12000
ACCEPT mon wfl25:10.1.25.2 udp tftp,12000
ACCEPT mon wfl26:10.1.26.2 udp tftp,12000
ACCEPT mon wfl27:10.1.27.2 udp tftp,12000
ACCEPT mon wfd:10.1.50.2 udp tftp,12000
ACCEPT mon wbd:10.1.51.2 udp tftp,12000
ACCEPT mon wdayc:10.1.52.2 udp tftp,12000
ACCEPT mon afl:10.1.1.2 udp tftp,12000
ACCEPT mon afl:10.1.2.2 udp tftp,12000
ACCEPT mon afl:10.1.3.2 udp tftp,12000
ACCEPT mon afl:10.1.4.2 udp tftp,12000
ACCEPT mon afl:10.1.5.2 udp tftp,12000
ACCEPT mon afl:10.1.6.2 udp tftp,12000
ACCEPT mon afl:10.1.7.2 udp tftp,12000
ACCEPT mon afl:10.1.8.2 udp tftp,12000
ACCEPT mon afl:10.1.9.2 udp tftp,12000
ACCEPT mon afl:10.1.10.2 udp tftp,12000
ACCEPT mon afl:10.1.11.2 udp tftp,12000
ACCEPT mon afl:10.1.12.2 udp tftp,12000
ACCEPT mon afl:10.1.13.2 udp tftp,12000
ACCEPT mon afl1:10.1.14.2 udp tftp,12000
ACCEPT mon afl:10.1.15.2 udp tftp,12000
ACCEPT mon afl:10.1.16.2 udp tftp,12000

ACCEPT wfl:10.1.1.2 mon udp tftp,12000
ACCEPT wfl:10.1.2.2 mon udp tftp,12000
ACCEPT wfl:10.1.3.2 mon udp tftp,12000
ACCEPT wfl:10.1.4.2 mon udp tftp,12000
ACCEPT wfl:10.1.5.2 mon udp tftp,12000
ACCEPT wfl:10.1.6.2 mon udp tftp,12000
ACCEPT wfl:10.1.7.2 mon udp tftp,12000
ACCEPT wfl:10.1.8.2 mon udp tftp,12000
ACCEPT wfl:10.1.9.2 mon udp tftp,12000
ACCEPT wfl:10.1.10.2 mon udp tftp,12000
ACCEPT wfl:10.1.11.2 mon udp tftp,12000
ACCEPT wfl:10.1.12.2 mon udp tftp,12000
ACCEPT wfl:10.1.13.2 mon udp tftp,12000
ACCEPT wfl:10.1.14.2 mon udp tftp,12000
ACCEPT wfl:10.1.15.2 mon udp tftp,12000
ACCEPT wfl:10.1.16.2 mon udp tftp,12000
ACCEPT wfl:10.1.17.2 mon udp tftp,12000
ACCEPT wfl:10.1.18.2 mon udp tftp,12000
ACCEPT wfl:10.1.19.2 mon udp tftp,12000
ACCEPT wfl:10.1.20.2 mon udp tftp,12000
ACCEPT wfl:10.1.21.2 mon udp tftp,12000
ACCEPT wfl:10.1.22.2 mon udp tftp,12000
ACCEPT wfl:10.1.23.2 mon udp tftp,12000
ACCEPT wfl:10.1.24.2 mon udp tftp,12000
ACCEPT wfl:10.1.25.2 mon udp tftp,12000
ACCEPT wfl:10.1.26.2 mon udp tftp,12000
ACCEPT wfl:10.1.27.2 mon udp tftp,12000
ACCEPT wfd:10.1.50.2 mon udp tftp,12000
ACCEPT wbd:10.1.51.2 mon udp tftp,12000
ACCEPT wdayc:10.1.52.2 mon udp tftp,12000
ACCEPT afl:10.1.1.2 mon udp tftp,12000
ACCEPT afl:10.1.2.2 mon udp tftp,12000
ACCEPT afl:10.1.3.2 mon udp tftp,12000
ACCEPT afl:10.1.4.2 mon udp tftp,12000
ACCEPT afl:10.1.5.2 mon udp tftp,12000
ACCEPT afl:10.1.6.2 mon udp tftp,12000
ACCEPT afl:10.1.7.2 mon udp tftp,12000
ACCEPT afl:10.1.8.2 mon udp tftp,12000
ACCEPT afl:10.1.9.2 mon udp tftp,12000
ACCEPT afl:10.1.10.2 mon udp tftp,12000
ACCEPT afl:10.1.11.2 mon udp tftp,12000
ACCEPT afl:10.1.12.2 mon udp tftp,12000
ACCEPT afl:10.1.13.2 mon udp tftp,12000
ACCEPT afl:10.1.14.2 mon udp tftp,12000
ACCEPT afl:10.1.15.2 mon udp tftp,12000
ACCEPT afl:10.1.16.2 mon udp tftp,12000

Web/ACCEPT mon wfl:10.1.1.2
Web/ACCEPT mon wfl:10.1.2.2
Web/ACCEPT mon wfl:10.1.3.2
Web/ACCEPT mon wfl:10.1.4.2
Web/ACCEPT mon wfl:10.1.5.2
Web/ACCEPT mon wfl:10.1.6.2
Web/ACCEPT mon wfl:10.1.7.2
Web/ACCEPT mon wfl:10.1.8.2
Web/ACCEPT mon wfl:10.1.9.2
Web/ACCEPT mon wfl:10.1.10.2
Web/ACCEPT mon wfl:10.1.11.2
Web/ACCEPT mon wfl:10.1.12.2
Web/ACCEPT mon wfl:10.1.13.2
Web/ACCEPT mon wfl:10.1.14.2
Web/ACCEPT mon wfl:10.1.15.2
Web/ACCEPT mon wfl:10.1.16.2
Web/ACCEPT mon wfl:10.1.17.2
Web/ACCEPT mon wfl:10.1.18.2
Web/ACCEPT mon wfl:10.1.19.2
Web/ACCEPT mon wfl:10.1.20.2
Web/ACCEPT mon wfl:10.1.21.2
Web/ACCEPT mon wfl:10.1.22.2
Web/ACCEPT mon wfl:10.1.23.2
Web/ACCEPT mon wfl:10.1.24.2
Web/ACCEPT mon wfl:10.1.25.2
Web/ACCEPT mon wfl:10.1.26.2
Web/ACCEPT mon wfl:10.1.27.2
Web/ACCEPT mon wfd:10.1.50.2
Web/ACCEPT mon wbd:10.1.51.2
Web/ACCEPT mon wdayc:10.1.52.2
Web/ACCEPT mon afl:10.1.1.2
Web/ACCEPT mon afl:10.1.2.2
Web/ACCEPT mon afl:10.1.3.2
Web/ACCEPT mon afl:10.1.4.2
Web/ACCEPT mon afl:10.1.5.2
Web/ACCEPT mon afl:10.1.6.2
Web/ACCEPT mon afl:10.1.7.2
Web/ACCEPT mon afl:10.1.8.2
Web/ACCEPT mon afl:10.1.9.2
Web/ACCEPT mon afl:10.1.10.2
Web/ACCEPT mon afl:10.1.11.2
Web/ACCEPT mon afl:10.1.12.2
Web/ACCEPT mon afl:10.1.13.2
Web/ACCEPT mon afl:10.1.14.2
Web/ACCEPT mon afl:10.1.15.2
Web/ACCEPT mon afl:10.1.16.2

Syslog/ACCEPT all mon

ACCEPT all serv:10.1.100.5 udp 12000
ACCEPT serv:10.1.100.5 all udp 12000
ACCEPT woff serv:10.1.100.5 tcp 12001
Syslog/ACCEPT all serv:10.1.100.5

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

###############################################################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
rogue
site

mon
mng
serv
dev

nec
tag
woff
aoff

wfd
wbd
wdayc
wfl
afl

vpn
link
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Shorewall performance

Reply via email to