[Firehol-support] Installing time
Phil Whineray
phil at firehol.org
Mon Jul 24 18:33:12 BST 2017
Hi Jonathan
On Mon, Jul 24, 2017 at 04:55:04PM +0200, Jon bae wrote:
> Hello
>
> I have firehol installed on to different computer, one is using as a router
> and the other as virtual machine host.
>
> My router setup is, in my opinion, way more complicate. It manage different
> networks, transparent proxy, traffic shaping and link balance. But the
> installing time is still very good, it takes maybe 3-4 seconds.
>
> My vm host have a way more simple setup, it only manage the incomming
> interface and the vm network. But it have 5 NAT rules. The bad thing is,
> that here the installing time is compared to the router very slow. I takes
> almost 20 seconds.
>
> On top both have a ipset trap setup, but this is similar.
>
> Can it be, that using NAT rules give me this long time for installing?
I think that is very unlikely, there isn't really any difference
between loading a NAT rule and any other. In general I would expect
the start time to be roughly proportional with number of rules.
A few ideas:
1. Are you running the same firehol on both? Newer firehol versions
got much faster.
2. Are you running the same kernel? Maybe (complete guess) there is
a performance difference either in loading rules generally or
with ipsets in particular?
3. Are you using DNS names anywhere? If there are problems with name
resolution, timeouts can lead to long delays.
You could try removing different bits of the config to narrow it down
and/or running with "bash -x" to see if something specific seems to
go slow.
Hope that helps
Phil
More information about the Firehol-support
mailing list