Firewall Optimization Options
-
hello,
i'm trying to find more information about the algorithm that is used for the firewall optimization options (normal, high-latencey, aggressive, conservative) specifically, how long the "normal" setting waits until it times out the state and flushes the state entries.
i'm doing a bit of testing and generated 2 million states at which point my state table (set at 2 million) collapsed, started dropping connection and blocking new ones as expected. however, once i reached this point i stopped flooding the states to see how long it would take for the pfsense box to recover without any intervention. i waited 20+ minutes and i still could not start new connections eventually i rebooted the box. i'm trying to figure out how long it would take for my firewall to recover on it's own if it ever gets flooded.
any input is appreciated.
-
My states on 1.2.2 is 10,000
-
Yes Jigpe, but that is not the issue here….. I guess the concern is flood attacks, and you want to know when the PFsense box will recover and go online again....
I dont know. I have 250.000 states setup in my wall....
-
another thing i'm noticing, is that if i generate a constant stream of 35,000 PPS the firewall does not seem to handle this well. i can't tell what's happening because the firewall locks up once i do this(i'm thinking cpu?). i'm running 1.2.3 RC1 on a 2.8 P4 with over 1 gig of RAM. however, i can use iperf and am capable of transfering over 500 Mbits/sec. i would think that i should be able to achieve much higher PPS with pfSense and my hardware.
-
If you can, then try to upgrade the hardware with NIC's, CPU and memory…
See if this changes the threshold of lockup....
I am running a IBM Xseries 345 with 4gb ram, dual Xeon 3ghz on a pretty busy connection. I havent had any trouble at all.
Are your NIC's offloading??
-
i haven't changed the offloading from it's default state, so i believe the correct answer would be yes, they are offloading per default?..
as far as upgrading CPU, pf doesn't take advantage of SMP so I would think 2.8Ghz would cover close to 100,000 Packets Per Second. Ram, I just checked and the box has 1.5 gig, not to shabby either. now, the nics on the other hand are relatively cheap. they are gigabit but one is the onboard card (broadcom netxtreme gigabit controller) and the other is ( <realtek 8169="" 8169s="" 8169sb(l)="" 8110s="" 8110sb(l)="" gigabit="" ethernet)="" which="" i="" know="" is="" a="" cheapy…<br="">i should also mention that i haven't had any issues while running under normal condititions. i only run into these problems when i start running tools like unicornscan purely for performance and benchmark testing.</realtek>
-
yeah, i've figured out that it's the "pfctl" command that sucks up all the cpu.