teastep at shorewall.net
Tue May 27 07:05:13 PDT 2003
On Tue, 27 May 2003 12:11:58 +0200, Nicolas Helleringer
<nicolas.helleringer at wanadoomaps.com> wrote:
> Hi all,
> quite new as a shorewall user, I have a few questions :
> -> how much concurent request shall shorewall be able to handle on a
> PIII 500Mhz with 256 Mo RAM on a 3 interface configuration with about 50
> rules ? (roughly ...)
None -- Shorewall doesn't handle requests. Shorewall is a tool for
configuring Netfilter, the packet filtering engine in the 2.4 kernels. It
is netfilter that does the packet filtering. I recommend that you look at
the list archives at http://www.netfilter.org - variations on this question
get asked a lot.
> -> how to have /proc/sys/net/ipv4/ip_conntrack_max set to a high
> value each reboot (sorry not that much shorewall related)
Your distribution should have a means for doing that. On RedHat, it is
> -> If i am right it is possible to have NAT applied on all interfaces
Yes, but you usually don't want to use that option.
> Is is possible to do the same with masquerading ?
You can set up masquerading for traffic from multiple internal interfaces,
> I am trying to build a firewall that as to handle as much as 32 Mbits
> of outgoing traffic.
> When I plug my shorewall box (mandrake MNF 8.2) the web sites behind it
> seem so slow ... and caould not find why.
> Cpu is between 15 and 35 and no more than 50Mo of RAM is beeing used.
> I eliminated the first bottle neck with ip_conntrack size set to 65535
> but the firewall is still to slow ...
> Any ideas ?
Again, check the netfilter list archives -- this question also come up
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA \ teastep at shorewall.net
More information about the Shorewall-users