[Shorewall-users] Large number of SNAT'd addresses loads very
hparker at homershut.net
Wed Dec 10 16:25:54 PST 2003
On Tue, 2003-12-09 at 22:16, Clint Miller wrote:
> We use openvpn and shorewall extensively and it all works very well. We have
> a need to SNAT many address behind shorewall firewalls to private addresses
> on our tunneled interface so we can prevent address clashing on our VPN. In
> small installations (10s of addresses to nat) this works well. In large
> installations (100s of addresses on multiple lans) shorewall still works but
> slows to a crawl during the "Adding IP Addresses" in the "Activating Rules"
> phase. For instance one of our sites has 4 class C networks that we nat to
> comply with our VPN addressing. It takes over 45 minutes to load on a PIII
> with 512MB ram with a load well under 0.5. Below is the section where
> shorewall begins to slow.
Tom has stated in the past that changing your shell in the script to
ash seems to speed things up some... Worth a try..
Homer Parker /"\ ASCII Ribbon Campaign
\ / No HTML/RTF in email
http://www.homershut.net x No Word docs in email
telnet://bbs.homershut.net / \ Respect for open standards
"Bill Gates reports on security progress made and the challenges ahead."
-- Microsoft's Homepage, on the day an SQL Server bug crippled large
sections of the Internet.
More information about the Shorewall-users