[Shorewall-users] Large number of SNAT'd addresses loads very slowly

Homer Parker hparker at homershut.net
Wed Dec 10 16:25:54 PST 2003


On Tue, 2003-12-09 at 22:16, Clint Miller wrote:
> We use openvpn and shorewall extensively and it all works very well.  We have 
> a need to SNAT many address behind shorewall firewalls to private addresses 
> on our tunneled interface so we can prevent address clashing on our VPN.  In 
> small installations (10s of addresses to nat) this works well.  In large 
> installations (100s of addresses on multiple lans) shorewall still works but 
> slows to a crawl during the "Adding IP Addresses"  in the "Activating Rules" 
> phase.   For instance one of our sites has 4 class C networks that we nat to 
> comply with our VPN addressing.  It takes over 45 minutes to load on a PIII 
> with 512MB ram with a load well under 0.5.   Below is the section where 
> shorewall begins to slow.

	Tom has stated in the past that changing your shell in the script to
ash seems to speed things up some... Worth a try..

-- 
Homer Parker                  /"\ ASCII Ribbon Campaign
                              \ / No HTML/RTF in email
http://www.homershut.net       x  No Word docs in email
telnet://bbs.homershut.net    / \ Respect for open standards

"Bill Gates reports on security progress made and the challenges ahead."
-- Microsoft's Homepage, on the day an SQL Server bug crippled large
   sections of the Internet.



More information about the Shorewall-users mailing list