On Saturday 08 February 2003 05:40 am, Robert Fox wrote: > When the firewall is enabled - the performance is dramatically slower > (seems to go in bursts) - I would expect the firewall to be slower due > the packet inspection overhead - but this seems VERY dramatic as far as > the performance difference.
First, I would strongly suggest getting a cheapo machine to be the firewall and have it separate from the machine that's serving files to your LAN. Not only is it more secure, you'll get much better LAN performance as local packets won't be going through the firewall. At one time I had my main server machine doing the job (a Celeron 300 - and at the time, it was not yet obsolete), but I offloaded the job to a crappy 486sx and my LAN performance improved. If you can't find an old machine, or don't want the hassle of building a scaled-down Linux install for it (plug for Mandrake SNF seems appropriate here), then you'll need to seriously consider your iptables configuration. If your "output" and "input" chains are just long strings of rules, every packet has to go through every rule to see if it will be allowed. A better solution is to set up a few chains - laninput, lanoutput, inetinput, inetoutput for example, and have your main rules just jump to one of these chains based on which interface the packet is coming from/going to. Then, your lan rules can be super simple, and only your packets going to/coming from the Internet have to pass through a strict set of rules. This should make a difference in your LAN performance. I'd offer up an example, but my server has been reinstalled long since I had it doing the firewalling job, so I don't have my old rulesets anymore. You can probably find a good example on the web somewhere. -- Brian Smith
