From mboxrd@z Thu Jan  1 00:00:00 1970
From: Gregory Carter <gcarter@aesgi.com>
Subject: Re: need advice for high traffic network
Date: Fri, 20 Jul 2007 09:16:19 -0500
Message-ID: <46A0C3B3.7030705@aesgi.com>
References: <469FE2DC.90300@relevad.com>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Return-path: <netfilter-bounces@lists.netfilter.org>
In-Reply-To: <469FE2DC.90300@relevad.com>
List-Id: <netfilter.vger.kernel.org>
List-Unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>,
	<mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
List-Archive: </pipermail/netfilter>
List-Post: <mailto:netfilter@lists.netfilter.org>
List-Help: <mailto:netfilter-request@lists.netfilter.org?subject=help>
List-Subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>,
	<mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
Sender: netfilter-bounces@lists.netfilter.org
Errors-To: netfilter-bounces@lists.netfilter.org
Content-Type: text/plain; charset="us-ascii"; format="flowed"
To: Konstantin Svist <kostya@relevad.com>
Cc: netfilter@lists.netfilter.org

You are running firewalls on the servers AND the routers?

Why?

-gc


Konstantin Svist wrote:
> Hi,
>
> I have a network (LAN) consisting of (mostly) gigabit ethernet on a 
> few switches. Most of the traffic is taken up by small HTTP reqests. 
> All computers are running Fedora (all are core 4 through 7).
>
> I've been having some problems with servers not being accessible and 
> just last night noticed that the problems disappear when I turn off 
> the firewall.
> What happens is that there are lots of small HTTP requests and 
> apparently at some point the firewall starts dropping or disallowing 
> new connections. This has been verified with both ab (apache 
> benchmark) and plain SSH - a lot of times the connections time out or 
> take a long time to get established.
> There are ~25 rules total (as listed by 'iptables -L')
>
> As a temporary measure, I've turned off firewalls on more of the 
> servers until I can figure out a better solution - I'd like to have a 
> firewall on each server, but performance is more important.
>
> I'l looking at nf-HiPAC right now - will probably try it some time 
> soon. Beyond that, I'm out of ideas for the moment.
>
> Is there anything else I can do?
> Any other firewalls? Tricks with rearranging the rules?
> etc...
>
>
> Thanks!
>
>
>
> Notes:
> * Problems do not seem to be limited to any specific Fedora version or 
> hardware.
> * external firewalls are out of the question, unless they're really 
> small & cheap: there are >40 servers in the internal network and the 
> number is growing
>
>
>