On 05/03/2010 06:42 PM, Tom Eastep wrote: > On 05/03/2010 06:19 PM, sangprabv wrote: >> I have problem with my shorewall. We are now doing some stress test >> with a http application behind the shorewall. Firstly we send 10.000 >> requests to a http based application with no firewall. It can >> received 100% requests. But when we put shorewall in front of it then >> it stats to loose requests. Is there any packet limitation from >> shorewall all it's about conntrack? Thanks for the reply > > Shorewall itself imposes no limitations besides the 20% penalty imposed > by conntrack. But a stupid Shorewall configuration can certainly add > lots of delay and packet loss. > > I suggest that you try: > > a) clients -> server with no intermediate Linux Router. > b) clients -> Linux Router with no conntrack -> server > c) clients -> Linux Router with nf_conntrack loaded -> server. > d) clients -> Linux Router with Shorewall -> server. > > If d) is substantially worse than c), then please submit the output of > 'shorewall dump' collected after the test.
It's also unclear what you mean by 'requests'. Shorewall rules fall into multiple categories: a) Those that are only applied for new connection requests. These include policies (including the LIMIT:BURST setting) and entries in the rules (NEW section), masq, nat and netmap files along with blacklisting entries (assuming that BLACKLISTNEWONLY=Yes). b) Those that are applied to every packet. These include entries in the tcrules and route_rules file along with blacklisting entries when BLACKLISTNEWONLY=No and entries in the rules file ESTABLISHED section. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
