Troubleshooting Netfilter Firewall (performance issues)

Derick Anderson danderson at vikus.com
Fri Nov 4 15:42:29 CET 2005


 

> -----Original Message-----
> From: Harrison, James [mailto:james.harrison at americancolor.com] 
> Sent: Thursday, November 03, 2005 1:24 PM
> To: Derick Anderson
> Cc: netfilter at lists.netfilter.org
> Subject: RE: Troubleshooting Netfilter Firewall (performance issues)
> 
> On Thu, 2005-11-03 at 12:55 -0500, Derick Anderson wrote:
> [snip]
> 
> > 
> > If I were you I would monitor top during a large transfer 
> and maybe do 
> > an ethereal dump as well. If your two endpoint machines are both on 
> > Gbit LAN and your firewall is 100Mbit (on a 100/1000 switch) then 
> > perhaps your firewall NICs are getting overloaded. Every 
> night at my 
> > company all the servers (Gbit) back up to a local machine 
> (100Mbit). 
> > They each have their time window for backing up but it's common for 
> > Nagios to report an "UNKNOWN" status for the backup server in the 
> > early morning hours. Of course that could simply be the poor little 
> > backup server not having the time to reply...
> > 
> > Derick Anderson
> 
> According to netstat -i I shouldn't be having issues with 
> overloading the interfaces. (TX-ERR on eth0 and eth1 are 
> static and have not
> incremented) I have 2/100MB and 2/1000MB interfaces.
> 
> Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR   TX-OK TX-ERR 
> TX-DRP TX-OVR Flg
> eth0   1500 0  50757220      0      0      050703586    523   
>    0      0 BMRU
> eth0:  1500 0       - no statistics available -               
>          BMRU
> eth1   1500 0  339989009      0      0      0397086634   3381 
>      0      0 BMRU
> eth1:  1500 0       - no statistics available -               
>          BMRU
> eth2   1500 0  409181861      0      0      0344550753      0 
>      0      0 BMRU
> eth3   1500 0  11352902      0      0      015003672      0   
>    0      0 BMRU
> eth3:  1500 0       - no statistics available -               
>          BMRU
> 
> It is running on the Devil Linux distro.
> 
> --
> James Harrison RHCE
> Manager, Information Security
> AIM: harrijh1

Unless Devil Linux has messed with your TCP/IP options in the kernel,
then I think it's time to look at the firewall. If you have an
abnormally high number of rules, this could be an issue, or if you're
rate-limiting anything...

Derick Anderson



More information about the netfilter mailing list