[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: Firewall-1 Rulebase Maximum Size
From:       "Otto Goencz" <Otto.Goencz () internetprivacysolutions ! com>
Date:       2001-01-30 23:09:30
[Download RAW message or body]

I somewhat disagree with your assessment of the size of the rule base. The
following is the Nokia's setup of the rule base size for performance testing
purposes:

"The rule base of FireWall-1 device under test was configured with 100 rules
all following the
general form "network x to network y, drop, no logging." After the 100 th
rule, we added the
necessary rules to allow traffic between Networks A and B. This way, any
rule base check needed to
traverse 100 rules before traffic was allowed by the 101 st rule and after.
A rule base of 100 rules is
Check Point's standard for test purposes."

The memory error message "Unable to allocate 68 bytes of memory" is related
to the state table size and not to the size of the rule base. Depending on
the CP FW-1 version, the available memory, the OS platform, etc, the size of
the memory allocated for the firewall ranges between 3-16 MB. The new Nokia
package includes 256MB memory and the 3.3 IPSO version, which by default
will allocate 16MB memory for the firewall. On the NT and Solaris platform
it is 5MB, if my memory (pun intended) servers me right. The firewall kernel
keeps 2MB and rest is pretty much left to the state table. On a default
installation of the FW-1 it actually isn't that hard to run out of memory
during testing of the web servers with Load Runner, or similar load testing
application. Knowing the fact that the refreshing the state table takes
about a minute and the size of memory needed for each connections, one could
calculate the connection "break" point for the firewall. Not to mention the
default number of connections allowed in the state table, but it's another
aspect of the FW-1.
Regards,

Otto


----- Original Message -----
From: <Niels.Thomas.Haugaard@uni-c.dk>
To: "Smedegaard, Paul C" <psmedegaard@kpmg.com>
Cc: <firewalls@lists.gnac.net>
Sent: Tuesday, January 30, 2001 9:12 AM
Subject: Re: Firewall-1 Rulebase Maximum Size


Dear Paul C Smedegaard


There is  no hard limit on the size of the rulebase. But you will
run  out  of memory. You'll get an error message saying something
like 'memory exhausted' or some other  error  message  about  NAT
(can't remember) ; then see the manuals on how to add more memory
to the kernel module. You may also want  to  monitor  the  memory
usage with 'fw ctl pstat'.

I  made  some test with FW1 version 4.1 on Solaris 2.6, Ultra-10,
with  640Mb  memory  regarding the number of network objects, not
the number of rule in the rulebase. But I think  they  will  give
you  an  idear about the size. Btw, Check Point has some calcula­
tions avaiable on their web site for how much memory you'll need,
for different purpose (eg. NAT).

The kernel memory was ajusted to 9Mb.

My  calculations shows how long time it takes to compile about 40
rules and a number of network objects. The firewall does  filter­
ing afterwards, without any significant performance degeneration.

Figures below:

Objects  Real        User       Sys
 7016    10:50.3     6:12.6     0.7
 7270    10:23.1     6:40.7     0.8
...
34702    14:31.0    25.3        2.5
51466  6:33:44.1  5:42:49.0    43.0
...
56800  8:30:40.8  6:41:56.7  1:24.1


It takes much less time to comile an ipfilter rulebase on OpenBSD
with one filter line for each object. (A few minuts). And it does
the filtering equal fast with the same bandwidth.

Den 29 January (Mon), 2001 kl. 08:07:16PM -0500 skrev Smedegaard, Paul
C:
> Here's the environment:
>
> HP-UX, 512MB RAM, Firewall-1 4.0
>
> Is there a theoretical maximum size or number of rules that I can
have?  If
> so, what are the parameters and input that go into this calculation?
How
> can I increase the rulebase size if necessary?  Any and all help is
> appreciated.
>
> Thanks, Paul

Venlig hilsen / Best regards, Thomas Haugård

--
Niels Thomas Haugård  Office: + 45 35 87 88 89                 _ __/|
UNI-C                 Fax:    + 45 35 87 88 90                 \'x X'
Vermundsgade 5        E-mail: niels.thomas.haugaard@uni-c.dk   =(_o_)=
DK-2100 København Ø   WWW:    http://www.uni-c.dk                 U
Denmark.              PGP key finger@haugaard.net               |>o<|
      My desk isn't messy  - it's encrypted


-
[To unsubscribe, send mail to majordomo@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]

[prev in list] [next in list] [prev in thread] [next in thread]