-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/28/2017 10:58 PM, Daniel Pocock wrote: > > > On 28/04/17 23:13, Simon Hobson wrote: >> Daniel Pocock <[email protected]> wrote: >> >>> I'm noticing latency doubles when things go through the >>> firewall. In particular, I have recently set up a couple of >>> virtual desktops and I'm trying to access them with the SPICE >>> protocol. It is supposed to be more efficient than VNC or RDP >>> but I'm finding there is always latency in the UI. >>> >>> I tried some ping tests (from my home, using a gigabit fibre >>> connection) and observed: >>> >>> ping the physical server = 0.8ms ping the virtual firewall = >>> 1.4ms ping the virtual server = 1.8ms >> >> What happens if you clear the firewall (shorewall clear) ? Bear >> in mind that when you introduce the firewall, you are (I assume) >> sending the packets through an extra switch, virtual NIC, virtual >> machine, virtual NIC. So even without any firewall processing you >> will add latency. Looking at the times you give above, adding the >> virtual switch and NIC to get to the firewall VM adds .6ms, the >> extra virtual NIC, virtual switch, virtual NIC to get to the >> server adds an additional 0.4ms. Not much in it. >> > > I tried "shorewall clear && shorewall6 clear" while running ping > and didn't see much difference in the ping times so it may not be > firewalling at all. > > If I understand the conntrack documentation[1] correctly, each TCP > packet is still processed by conntrack even if there are no > firewall rules using NAT. The only way to stop conntrack looking > at packets is to unload the modules for conntrack. Could conntrack > be adding that much latency though?
Not by itself. Note that you can selectively disable conntrack by adding entries in the conntrack file (shorewall-conntrack(5)). - -Tom - -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJZBKtnAAoJEJbms/JCOk0QdzEQAMNUKyGbUn5t99G/KuMUFQBg msHnDQYLifga8a0n4ZpJN4/UIy2su+ZoBC69HUUPNSq3dfavrg7ra3QPEGD6W62x RP6FvHTrsITAr2WbJm4UEPVk1LYzaZJySvNvXMCaBSuDCp/kbQiq/Yv4phbD+hH1 wswy6kiqyetlXfgNSFap/2RSb+zw2vCHFQUPMMLqdyc+A01ZMyjrtqfMUpV+lsNe 7dpgfK2ya7YtBmEsUxVx1/eFdvX8MfC0N9aPnpurDbKEAHWVv2x0WOn3JxEm7ORB /gpryv2/rot2Hl9C2CXS3L+UpF1OoyZqMg1Mbu69dgToVgltRyadY8Sfu8b5GxCg 5dmZJiS1GpegxjAKTWXr8nsNmN8/fyMok7OSaRCiasJ01ZZgkdNhtB3acZo9Gd+V OJntEJmzvVKWeBWlneiVT7VorRDPSAquniohFe948G2jWIXn/CWftx/fk3VHSeg0 QqPveI7E1LGGT8nVD0jQ01C2dhlAj8Xj1HSna80LVYyFGmPgzo5mVkGqKaML9Gxm 3HYJLBVzJK5ZFxJ+PuguJIopufWnIH3bQpHU6XhH8kp+cGXuoITGQ8dGgBY1s4zX 4NxVkBYy15Knpy02ff6XOkn5b6js5W5N+5HGrEzz191I1PDCNmH14A2WkfoFZDeK akC9Q1kWt8lry6ufc7Ss =h4NM -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
