[Shorewall-users]

Tom Eastep teastep at shorewall.net
Tue May 27 07:05:13 PDT 2003


On Tue, 27 May 2003 12:11:58 +0200, Nicolas Helleringer 
<nicolas.helleringer at wanadoomaps.com> wrote:

> Hi all,
>
> 	quite new as a shorewall user, I have a few questions :
>
> 	-> how much concurent request shall shorewall be able to handle 	on a 
> PIII 500Mhz with 256 Mo RAM on a 3 interface configuration 	with about 50 
> rules ? (roughly ...)	

None -- Shorewall doesn't handle requests. Shorewall is a tool for 
configuring Netfilter, the packet filtering engine in the 2.4 kernels. It 
is netfilter that does the packet filtering. I recommend that you look at 
the list archives at http://www.netfilter.org - variations on this question 
get asked a lot.

> 	-> how to have /proc/sys/net/ipv4/ip_conntrack_max set to a high
> 	value each reboot (sorry not that much shorewall related)

Your distribution should have a means for doing that. On RedHat, it is 
/etc/sysctl.conf.

> 	-> If i am right it is possible to have NAT applied on all interfaces 
> ...

Yes, but you usually don't want to use that option.

> 	Is is possible to do the same with masquerading ?

You can set up masquerading for traffic from multiple internal interfaces, 
yes.

>
> 	I am trying to build a firewall that as to handle as much as 32 Mbits 
> 	of outgoing traffic.
> 	When I plug my shorewall box (mandrake MNF 8.2) the web sites behind it
> 	seem so slow ... and caould not find why.
> 	Cpu is between 15 and 35 and no more than 50Mo of RAM is beeing used.
> 	I eliminated the first bottle neck with ip_conntrack size set to 65535
> 	but the firewall is still to slow ...
>
> 	Any ideas ?

Again, check the netfilter list archives -- this question also come up 
frequently.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep at shorewall.net


More information about the Shorewall-users mailing list