Thu, 16 Jul 2009
Optimizing large Linux-based firewalls
When deploying large Linux-based firewalls with tens or hundreds of interfaces and hosts behind them it is required to correctly configure some kernel parameters. The most important values which usually need tuning are:
- The maximum number of allowed conntrack entries (
net.nf_conntrack_max
) and the size of the hash table used to store them (thehashsize
parameter of thenf_conntrack
module). This is documented in the Netfilter conntrack performance tweaking document. - The maximum number of elements in the routing cache (
net.ipv4.route.max_size
) and the parameters controlling its garbage collector. This is documented in chapters 30.3, 33.7 and 36.3 of the great Understanding Linux Network Internals book. - The ARP cache size by the thresholds of its garbage collector (
net.ipv4.neigh.default.gc_thresh1
and others). This is documented inarp(7)
.
Even if your firewall works fine with the default parameters, it will crash and burn when some kinds of DoS attacks are received.