On Mon, Sep 30, 2019 at 04:56:05PM +0200, Vieri Di Paola wrote: > Thanks. It works with -o and FORWARD, OUTPUT, POSTROUTING. PREROUTING > is not allowed, obviously. > > However, I'm experiencing severe performance issues even though there > does not seem to be any traffic bottleneck on the FW itself or on the > collector. > If I use the OUTPUT chain then I can see the FW's ICMP requests. I > connect to the IDS host at 10.215.144.7 via ssh from FW, and from > there do a tcpdump to see what I get. > If I use -o and POSTROUTING or FORWARD then my ssh session freezes > most of the time. A ping from FW to the IDS host's IP address fails > most of the time. > Removing this rule (-D) restores the ssh session after a short while, > and the pings flow as expected. > > What could be the issue at hand if a monitor such as iptraf-ng does > not seem to show any high traffic values on the NICs?
Maybe the TEE operation is just that expensive. After all without it, the kernel can often do zero copy forwarding of packets from one interface to another. The TEE might be forcing it to copy every single packet before sending it out two interfaces with different destination addresses. I have never used TEE so I have no idea. It just looks like something that could be very expensive. -- Len Sorensen _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
