Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.mel.connect.com.au!munnari.OZ.AU!news.Hawaii.Edu!news.lava.net!news-w.ans.net!newsfeeds.ans.net!newsjunkie.ans.net!newsfeeds.ans.net!news.sprintlink.net!news-stk-200.sprintlink.net!www.nntp.primenet.com!nntp.primenet.com!news.sprintlink.net!news-peer.sprintlink.net!howland.erols.net!news-peer.gsl.net!news.gsl.net!news-stkh.gsl.net!news.gsl.net!eru.mt.luth.se!newsfeed.luth.se!news.luth.se!erix.ericsson.se!erinews.ericsson.se!n ews From: etorwi@eto.ericsson.se (Wiker, Raymond) Newsgroups: comp.unix.bsd.freebsd.misc Subject: FreeBSD for a firewall Date: 13 Dec 1996 11:19:41 +0100 Organization: Ericsson AS Lines: 52 Sender: etorwi@storeulv Message-ID: <hckvia6ycea.fsf@eto.ericsson.se> NNTP-Posting-Host: bunnahabhain.eto.ericsson.se Mime-Version: 1.0 (generated by tm-edit 7.93) Content-Type: text/plain; charset=US-ASCII X-Newsreader: Gnus v5.2.25/XEmacs 19.14 Cache-Post-Path: bunnahabhain!unknown@193.161.188.151 Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:32504 Hiya. Last week I installed FreeBSD-2.1.6-RELEASE on a 486DX50, with the idea of using it as a simple firewall (packet filter, really). After some fiddling, I got it to work (my problems were actually related to subnetting and ARP entries :-) At the moment I have a small test network set up in my living-room: An Hp712 running HP-UX, the firewall machine, and a Pentium-100 running FreeBSD-2.2-960801-SNAP. The performance figures are, uh, "not good". As an example, FTP'ing a ~120 kb file from the Pentium to the HP, I get anything from ~10KB/sec to 650 KB/sec, but normally about 20 KB/sec. On the other hand, if I use "spray" from the HP to the Pentium, I get up to about 800 KB/sec, no lost packets. In the opposite direction I lose something like 80% of all packets, and the throughput is much lower. Other data: The firewall machine is set up with forwarding enabled, and ARP_PROXYALL. The network interfaces are 3c509s, with ep0 at 0x300/int 10 and ep1 at 0x210/int 11. The only rules used for ipfw are the default rule (deny all from any to any) and "pass all from any to any"; in effect, this should mean that everything goes through. The firewall machine has a 500 MB IDE disk and 20 MB RAM - it was initially setup with BOUNCE_BUFFERS, but I've built a new kernel without BOUNCE_BUFFERS and with RAM limited to 16MB (which shouldn't have any effect, I think - I haven't tried this yet.) On the gateway machine and the "secure" machine I use 27-bit network masks (255.255.255.224), and proxy arp to force the "outer" machine to send packets for the "secure" machine to the gateway. The outer machine uses a straight class-C address. I've tried Intel EtherExpress (ix0) or 3c509s in the Pentium, with similar results. I'm going to build another test kernel with forwarding but without ipfw - the only reason I haven't done so yet is that after using faster machines, the kernel compile time on the 486 is a bit painful :-) So, does anybody have a good explanation of what's happening? Is it ipfw that eats bandwidth, or the forwarding code? Could it be overruns in the network adapter code, or possibly that the 3c509 is a low-performer? The ARP_PROXYALL option, perhaps? I would appreciate any hints about this; if possible, with a copy by email - I follow this newsgroup regularly, but I am a bit pressed for time just now. Thanks, //Raymond. --- Raymond Wiker / etorwi@eto.ericsson.se / ETO.ETORWI Boks 44, 4817 HIS, NORWAY / Tel +47 370 51482