[afnog] IPfw + natd

Mark Tinka mtinka at africaonline.co.zw
Thu Dec 1 19:40:40 EAT 2005 

On Thursday 01 December 2005 17:51, Brian Candler wrote:

> Can you describe "bumping"? Got any numbers? Are you
> testing large transfers (e.g. FTP) or noticing pauses
> in interactive sessions (e.g. ssh)?

DNS queries were eratic from my test client box, but not 
from the firewall itself. At one point Mozilla could 
resolve, and then not - but I wouldn't make this a reason 
to write it off just yet.

> Is the machine 
> heavily loaded?

Not really. I run CPU intensive apps like 'find' and built 
a port or two while running natd, and even though it felt 
like there were some intermitent pauses (noticeable to 
just me, and not users) just like when CPU was at idle, 
it was generally consistent.

> If you are noticing pauses, I would first guess that
> some packet loss is taking place. Enough packet loss to
> be noticable (1-2%) is generated by an ethernet
> 100baseTX duplex mismatch, for example.

Agree - I looked into this first; got single FE port 
adapters on the 7200 edge chassis this firewall is 
calling gateway - autoneg on those is not possible 
(Cisco?), switches are though.

I could have ruled it down to that, except that IPTables 
on Linux seems less interrupted in the same setup (not on 
Sparc, but then again load isn't that high either).

> I would test 
> using
>
>     # ping -s1472 -c300 x.x.x.x
>
> where x.x.x.x is one hop away (then try two hops, then
> three hops etc).

Carrying these out as I debug Cisco's FE PA's.

> Unless your Sparc machine is very slow and/or heavily
> loaded,...

It isn't, really.

> I would doubt that kernel vs. userland is 
> significant here. However, there are two in-kernel
> implementations ('pf' and 'ipf')...

Considered 'ipf', but I want to make sure natd has totally 
failed (that and the fact that it took me several hours 
to write a custom 'ipfw' script that I wouldn't want to 
see go to waste :).

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
Url : http://listserv2.cfi.co.ug/pipermail/afnog/attachments/20051201/e56a321a/attachment.bin

More information about the afnog mailing list