Re: [Shorewall-users] Shorewall performance

Tom Eastep Tue, 14 Nov 2006 18:29:59 -0800

Tom Eastep wrote:
> Andrew Suffield wrote:
> 
>> So it seems like there's two ways to tackle this problem. The first is
>> to dramatically reduce the number of iptables rules used by the
>> firewall by restructuring it differently - I'm not sure if this is
>> possible, so I'm attaching the relevant parts of one of them in case
>> anybody has any ideas (the other is much the same, only bigger)
> 
> I've attached an updated configuration which is similar. It requires
> that you manually configure the broadcast addresses in the interfaces
> file (I've just put "-") but it compiles on my not-so-new laptop in 10
> seconds.


Here's an updated rules file -- I didn't notice the error in the prior
one. This configuration compiles in 18 seconds on the same old laptop.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

#############################################################################################################
#ACTION SOURCE          DEST            PROTO   DEST    SOURCE          
ORIGINAL        RATE            USER/
#                                               PORT(S) PORT(S)         DEST    
        LIMIT           GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW

# Reject all new tcp packets that aren't SYNs - these are junk, or worms
rejNotSyn:info link all tcp

ACCEPT fw link 89
ACCEPT link fw 89

Ping/ACCEPT fw all
Ping/ACCEPT serv all
Ping/ACCEPT woff fw
Ping/ACCEPT all serv
Ping/ACCEPT all fw
Ping/ACCEPT all link
Ping/ACCEPT link serv:195.80.27.218

# Site DNS service
DNS/ACCEPT all site:10.1.0.1
DNS/ACCEPT serv:10.1.100.2 link

# SSH - pretty permissive here
SSH/ACCEPT all link
SSH/ACCEPT fw all
SSH/ACCEPT all fw
SSH/ACCEPT woff serv
SSH/ACCEPT aoff serv

# Outbound mail access
IMAPS/ACCEPT woff link

# OpenVPN tunnels
ACCEPT all fw tcp openvpn
ACCEPT all fw udp openvpn

# Internet-accessible services
IMAPS/ACCEPT all serv:10.1.100.2
Web/ACCEPT   all serv:10.1.100.2
SMTP/ACCEPT  all serv:10.1.100.2
DNS/ACCEPT   all serv:10.1.100.2
NTP/ACCEPT   all serv:10.1.100.2

Web/ACCEPT woff serv:10.1.100.5
Web/ACCEPT aoff serv:10.1.100.5
ACCEPT woff serv:10.1.100.6 tcp 3050,5900
ACCEPT aoff serv:10.1.100.6 tcp 3050,5900
SMB/ACCEPT woff serv
SMB/ACCEPT aoff serv
SMB/ACCEPT serv woff
SMB/ACCEPT serv aoff

# Systems management
Telnet/ACCEPT woff mng
Web/ACCEPT    woff mng
Telnet/ACCEPT aoff mng
Web/ACCEPT    aoff mng
Telnet/ACCEPT fw mng
Web/ACCEPT    fw mng
ACCEPT        mng serv udp tftp

# For the servers
Web/ACCEPT   serv:10.1.100.2 link
FTP/ACCEPT   serv:10.1.100.2 link
NTP/ACCEPT   serv:10.1.100.2 link
SMTP/ACCEPT  serv:10.1.100.2 link
Web/ACCEPT   serv:10.1.100.2 mon
Web/ACCEPT   fw all
SMB/ACCEPT   fw all
SMB/ACCEPT   all fw

# Site services
NTP/ACCEPT all site:10.1.0.2

# Web proxy access
ACCEPT all serv:10.1.100.2 tcp http,webcache

ACCEPT site:10.1.0.3 nec tcp 5060,5070,1720,1730
ACCEPT site:10.1.0.3 nec udp 5060,5070
ACCEPT site:10.1.0.3 nec udp 
8000:8020,10020:10040,10100,4000,1720,3000,3001,1000
ACCEPT nec site:10.1.0.3 tcp 5060,5070,1720,1730
ACCEPT nec site:10.1.0.3 udp 5060,5070
ACCEPT nec site:10.1.0.3 udp 
8000:8020,10020:10040,10100,4000,1720,3000,3001,1000
ACCEPT woff nec tcp 8,8000
ACCEPT woff nec tcp 5060,5070
ACCEPT woff nec udp 5060,5070
ACCEPT woff nec udp 
8000:8020,10020:10040,10100,4000,1720,3000,3001,1000,3456,3458
ACCEPT nec woff udp 5060,5070
ACCEPT nec woff udp 
8000:8020,10020:10040,10100,4000,1720,3000,3001,1000,3456,3458
ACCEPT nec site:10.1.0.3 all
ACCEPT site:10.1.0.3 nec all
ACCEPT woff site:10.1.0.3 udp 5060,5070,8000:8020,10020:10040
ACCEPT woff mon:10.1.200.11 udp 5060,5070,8000:8020,10020:10040

# Tag control stuff
SSH/ACCEPT woff mon
Web/ACCEPT woff mon
ACCEPT woff mon udp 12001
ACCEPT mon wfl:10.1.1.2 udp tftp,12000
ACCEPT mon wfl:10.1.2.2 udp tftp,12000
ACCEPT mon wfl:10.1.3.2 udp tftp,12000
ACCEPT mon wfl:10.1.4.2 udp tftp,12000
ACCEPT mon wfl:10.1.5.2 udp tftp,12000
ACCEPT mon wfl:10.1.6.2 udp tftp,12000
ACCEPT mon wfl:10.1.7.2 udp tftp,12000
ACCEPT mon wfl:10.1.8.2 udp tftp,12000
ACCEPT mon wfl:10.1.9.2 udp tftp,12000
ACCEPT mon wfl:10.1.10.2 udp tftp,12000
ACCEPT mon wfl:10.1.11.2 udp tftp,12000
ACCEPT mon wfl:10.1.12.2 udp tftp,12000
ACCEPT mon wfl:10.1.13.2 udp tftp,12000
ACCEPT mon wfl:10.1.14.2 udp tftp,12000
ACCEPT mon wfl:10.1.15.2 udp tftp,12000
ACCEPT mon wfl:10.1.16.2 udp tftp,12000
ACCEPT mon wfl:10.1.17.2 udp tftp,12000
ACCEPT mon wfl:10.1.18.2 udp tftp,12000
ACCEPT mon wfl:10.1.19.2 udp tftp,12000
ACCEPT mon wfl:10.1.20.2 udp tftp,12000
ACCEPT mon wfl:10.1.21.2 udp tftp,12000
ACCEPT mon wfl:10.1.22.2 udp tftp,12000
ACCEPT mon wfl:10.1.23.2 udp tftp,12000
ACCEPT mon wfl:10.1.24.2 udp tftp,12000
ACCEPT mon wfl:10.1.25.2 udp tftp,12000
ACCEPT mon wfl:10.1.26.2 udp tftp,12000
ACCEPT mon wfl:10.1.27.2 udp tftp,12000
ACCEPT mon wfd:10.1.50.2 udp tftp,12000
ACCEPT mon wbd:10.1.51.2 udp tftp,12000
ACCEPT mon wdayc:10.1.52.2 udp tftp,12000
ACCEPT mon afl:10.1.1.2 udp tftp,12000
ACCEPT mon afl:10.1.2.2 udp tftp,12000
ACCEPT mon afl:10.1.3.2 udp tftp,12000
ACCEPT mon afl:10.1.4.2 udp tftp,12000
ACCEPT mon afl:10.1.5.2 udp tftp,12000
ACCEPT mon afl:10.1.6.2 udp tftp,12000
ACCEPT mon afl:10.1.7.2 udp tftp,12000
ACCEPT mon afl:10.1.8.2 udp tftp,12000
ACCEPT mon afl:10.1.9.2 udp tftp,12000
ACCEPT mon afl:10.1.10.2 udp tftp,12000
ACCEPT mon afl:10.1.11.2 udp tftp,12000
ACCEPT mon afl:10.1.12.2 udp tftp,12000
ACCEPT mon afl:10.1.13.2 udp tftp,12000
ACCEPT mon afl:10.1.14.2 udp tftp,12000
ACCEPT mon afl:10.1.15.2 udp tftp,12000
ACCEPT mon afl:10.1.16.2 udp tftp,12000

ACCEPT wfl:10.1.1.2 mon udp tftp,12000
ACCEPT wfl:10.1.2.2 mon udp tftp,12000
ACCEPT wfl:10.1.3.2 mon udp tftp,12000
ACCEPT wfl:10.1.4.2 mon udp tftp,12000
ACCEPT wfl:10.1.5.2 mon udp tftp,12000
ACCEPT wfl:10.1.6.2 mon udp tftp,12000
ACCEPT wfl:10.1.7.2 mon udp tftp,12000
ACCEPT wfl:10.1.8.2 mon udp tftp,12000
ACCEPT wfl:10.1.9.2 mon udp tftp,12000
ACCEPT wfl:10.1.10.2 mon udp tftp,12000
ACCEPT wfl:10.1.11.2 mon udp tftp,12000
ACCEPT wfl:10.1.12.2 mon udp tftp,12000
ACCEPT wfl:10.1.13.2 mon udp tftp,12000
ACCEPT wfl:10.1.14.2 mon udp tftp,12000
ACCEPT wfl:10.1.15.2 mon udp tftp,12000
ACCEPT wfl:10.1.16.2 mon udp tftp,12000
ACCEPT wfl:10.1.17.2 mon udp tftp,12000
ACCEPT wfl:10.1.18.2 mon udp tftp,12000
ACCEPT wfl:10.1.19.2 mon udp tftp,12000
ACCEPT wfl:10.1.20.2 mon udp tftp,12000
ACCEPT wfl:10.1.21.2 mon udp tftp,12000
ACCEPT wfl:10.1.22.2 mon udp tftp,12000
ACCEPT wfl:10.1.23.2 mon udp tftp,12000
ACCEPT wfl:10.1.24.2 mon udp tftp,12000
ACCEPT wfl:10.1.25.2 mon udp tftp,12000
ACCEPT wfl:10.1.26.2 mon udp tftp,12000
ACCEPT wfl:10.1.27.2 mon udp tftp,12000
ACCEPT wfd:10.1.50.2 mon udp tftp,12000
ACCEPT wbd:10.1.51.2 mon udp tftp,12000
ACCEPT wdayc:10.1.52.2 mon udp tftp,12000
ACCEPT afl:10.1.1.2 mon udp tftp,12000
ACCEPT afl:10.1.2.2 mon udp tftp,12000
ACCEPT afl:10.1.3.2 mon udp tftp,12000
ACCEPT afl:10.1.4.2 mon udp tftp,12000
ACCEPT afl:10.1.5.2 mon udp tftp,12000
ACCEPT afl:10.1.6.2 mon udp tftp,12000
ACCEPT afl:10.1.7.2 mon udp tftp,12000
ACCEPT afl:10.1.8.2 mon udp tftp,12000
ACCEPT afl:10.1.9.2 mon udp tftp,12000
ACCEPT afl:10.1.10.2 mon udp tftp,12000
ACCEPT afl:10.1.11.2 mon udp tftp,12000
ACCEPT afl:10.1.12.2 mon udp tftp,12000
ACCEPT afl:10.1.13.2 mon udp tftp,12000
ACCEPT afl:10.1.14.2 mon udp tftp,12000
ACCEPT afl:10.1.15.2 mon udp tftp,12000
ACCEPT afl:10.1.16.2 mon udp tftp,12000

Web/ACCEPT mon wfl:10.1.1.2
Web/ACCEPT mon wfl:10.1.2.2
Web/ACCEPT mon wfl:10.1.3.2
Web/ACCEPT mon wfl:10.1.4.2
Web/ACCEPT mon wfl:10.1.5.2
Web/ACCEPT mon wfl:10.1.6.2
Web/ACCEPT mon wfl:10.1.7.2
Web/ACCEPT mon wfl:10.1.8.2
Web/ACCEPT mon wfl:10.1.9.2
Web/ACCEPT mon wfl:10.1.10.2
Web/ACCEPT mon wfl:10.1.11.2
Web/ACCEPT mon wfl:10.1.12.2
Web/ACCEPT mon wfl:10.1.13.2
Web/ACCEPT mon wfl:10.1.14.2
Web/ACCEPT mon wfl:10.1.15.2
Web/ACCEPT mon wfl:10.1.16.2
Web/ACCEPT mon wfl:10.1.17.2
Web/ACCEPT mon wfl:10.1.18.2
Web/ACCEPT mon wfl:10.1.19.2
Web/ACCEPT mon wfl:10.1.20.2
Web/ACCEPT mon wfl:10.1.21.2
Web/ACCEPT mon wfl:10.1.22.2
Web/ACCEPT mon wfl:10.1.23.2
Web/ACCEPT mon wfl:10.1.24.2
Web/ACCEPT mon wfl:10.1.25.2
Web/ACCEPT mon wfl:10.1.26.2
Web/ACCEPT mon wfl:10.1.27.2
Web/ACCEPT mon wfd:10.1.50.2
Web/ACCEPT mon wbd:10.1.51.2
Web/ACCEPT mon wdayc:10.1.52.2
Web/ACCEPT mon afl:10.1.1.2
Web/ACCEPT mon afl:10.1.2.2
Web/ACCEPT mon afl:10.1.3.2
Web/ACCEPT mon afl:10.1.4.2
Web/ACCEPT mon afl:10.1.5.2
Web/ACCEPT mon afl:10.1.6.2
Web/ACCEPT mon afl:10.1.7.2
Web/ACCEPT mon afl:10.1.8.2
Web/ACCEPT mon afl:10.1.9.2
Web/ACCEPT mon afl:10.1.10.2
Web/ACCEPT mon afl:10.1.11.2
Web/ACCEPT mon afl:10.1.12.2
Web/ACCEPT mon afl:10.1.13.2
Web/ACCEPT mon afl:10.1.14.2
Web/ACCEPT mon afl:10.1.15.2
Web/ACCEPT mon afl:10.1.16.2

Syslog/ACCEPT all mon

ACCEPT all serv:10.1.100.5 udp 12000
ACCEPT serv:10.1.100.5 all udp 12000
ACCEPT woff serv:10.1.100.5 tcp 12001
Syslog/ACCEPT all serv:10.1.100.5

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Shorewall performance

Reply via email to