summaryrefslogtreecommitdiff
path: root/2005/iptables-firewall-heinlein2005/iptables-firewall-heinlein2005-day2.mgp
diff options
context:
space:
mode:
Diffstat (limited to '2005/iptables-firewall-heinlein2005/iptables-firewall-heinlein2005-day2.mgp')
-rw-r--r--2005/iptables-firewall-heinlein2005/iptables-firewall-heinlein2005-day2.mgp159
1 files changed, 159 insertions, 0 deletions
diff --git a/2005/iptables-firewall-heinlein2005/iptables-firewall-heinlein2005-day2.mgp b/2005/iptables-firewall-heinlein2005/iptables-firewall-heinlein2005-day2.mgp
new file mode 100644
index 0000000..cb929b7
--- /dev/null
+++ b/2005/iptables-firewall-heinlein2005/iptables-firewall-heinlein2005-day2.mgp
@@ -0,0 +1,159 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+netfilter/iptables training
+Nov 05/06/07, 2007
+Day 2
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@netfilter.org>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables tutorial
+Contents
+
+ Day 2
+
+ Practical Exercises
+ Logging with ulogd
+ Choice of Hardware
+ Network Stack Tuning
+ Ruleset Optimization
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables tutorial
+Practical Exercises
+
+
+ Practical Exercises
+
+ As discussed within the course
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables tutorial
+Logging with ulogd
+
+
+ Why?
+ because LOG is extremely inefficient
+ because LOG is unreliable, too
+ LOG on full-speed DoS: 1100 logs/sec
+ ULOG/LOGEMU on full-speed DoS: 96000 log/sec
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables tutorial
+Logging with ulogd
+
+
+ Configuration of ruleset:
+ -j ULOG
+ --ulog-nlgroup: which netlink group (up to 32)
+ --ulog-cprange: how many bytes of each package?
+ --ulog-qthreshold: how many packets to queue
+ --ulog-prefix: like "--log-prefix"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables tutorial
+Logging with ulogd
+
+ Configuration of ulogd:
+ Please refer to "doc/ulogd.html" documentation
+
+ If logging remotely, make sure you don't ever log log-packets (!)
+ Debian woody ships with a broken ulogd (and refuses to fix it)
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables tutorial
+Choice of hardware
+
+ Choice of hardware is important for high scalability
+ Packet forwarding is one of the most demanding tasks
+ Important issues
+ Optimization of NIC driver
+ RAM latency
+ Cache size
+ Interrupt Latency
+ I/O Bandwidth
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables tutorial
+Choice of hardware
+
+ Past benchmarking has shown
+ AMD Opteron/Athlon64 has way better RAM latency than Intel
+ PCI-X is the preferred bus technology
+ Intel e1000 card + driver combo has good performance
+ Never use four-port cards, sicne they have additional bridges
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables tutorial
+Choice of hardwawre
+
+ SMP or not SMP ?
+ The improvement of SMP is arguable for packet forwarding
+ Esp. connection tracking suffers from excessive cache ping-pong
+ In case of two interfaces, there can be no improvement
+ all packets will affect DMA with both interfaces
+ putting one device on each IRQ causes more cache misses than anything else
+ In case of four, eight interfaces, IRQ affinity can be used to distribute
+ put a pair of interfaces on each cpu
+ forwarding between those two interfaces will be fast
+ forwarding between interfaces on differenc cpu's slower
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables tutorial
+Network Stack tuning
+
+ Tuning areas
+ IRQ affinity
+ neighbour cache
+ kernel compile-time config
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables tutorial
+Optimization of Ruleset
+
+ Optimization of ruleset important
+ iptables itself does no optimization
+ all rules are traversed linearily
+ all matches are processed linearily
+ therefore, order _does_ matter for performance reasons
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+netfilter/iptables tutorial
+Optimization of Ruleset
+
+ Good ideas for optimization
+ build a tree-like structure out of user-defined chains
+ avoid long lists
+ keep in mind the average number of traversed rules per packet
+ don't repeat excessive matching in each rule, use new chains
+
+
personal git repositories of Harald Welte. Your mileage may vary