Louwrentius

I have released LIFS, the Linux Iptables Firewall Script. This script allows you to setup a firewall within minutes. It is easy to use, yet very powerful. It uses Iptables and even improves upon some limitations of Iptables.

Every person who has to maintain some kind of Iptables-based firewall should really look into LIFS. It will make managing your firewall much more convenient.

For more advanced purposes. LFS allows you to create object groups. These are groups of individual hosts, networks or services (tcp/udp).

Look at this example of object groups in action. Read and understand.

HTTP_SERVICES="
    80/tcp
   443/tcp
"

WEB_SERVER_1=192.168.0.10
WEB_SERVER_2=192.168.0.11

WEB_SERVERS="
    $WEB_SERVER_1
    $WEB_SERVER_2
"

allow_in any "$WEB_SRVERS" any "$HTTP_SERVICES"

As you can see, a single firewall rule in fact creates 4 rules, one for each host and port. This functionality can be found in commercial based firewalls but it is not build-in into Iptables. LIFS fixes this.

LIFS is a continuation of LFS, which has been discontinued.

I wrote an article about the subject of getting beyond the limits of gigabit network file transfers. My solution is to use multiple gigabit network cards and use Linux interface bonding to create virtual 2 gigabit network interfaces. The solution is to use mode 0 or round robin bonding. I do not use a switch although this also works fine. Instead, I just connected two cabled between the two machines.

In my original article, I couldn't get pas 150 MB/s file transfer speeds so the results weren't that great. However, these poor results were due to hardware compatibility issues. Although the on board network card worked fine, the intel e1000e card in the PCIe slot didn't perform well. I replaced it with a HP Broadcom card and everything is working smooth now.

With two gigabit network cards bonded together I can achieve 220 MB/s through a single file transfer over NFS.

It would be interesting if a quad port server adapter would be able to achieve 440 MB/s network speeds, but I don't have the equipment to test this.

My Dutch ISP Ziggo provides internet access through DOCSIS cable modems. They are now capable of providging 120 Mbit downstream and 10 Mbit upstream, for an affordable price.

In a way this is mind boggling. Most people have 100 Mbit home networks that are not capable of handling full capacity. You need at least gigabit gitabit network connectivity on your router and internal network.

But there is a problem with all this bandwidth mayhem:

It is useless.

The only time I see the full 120 mbit in use is when I do a speed test, or when my mac is downloading system updates. Regular downloading (ISO's, big files from web pages), usenet, bittorrent, they cannot provide content with at the speed my connection is capable of.

The bottleneck is no longer the connection to the home. The whole internet is now the bottle neck. The content providers are the bottle neck. They cannot seem to cope with this use increase in client side bandwith capacity. They often seem to cap users at a specific download rate, that is way below full capacity. Although the connectivity is relatively cheap, if you can't use it, why pay for it? So downgrading to let's say 50 mbit until content providers are able to handle higher speeds seems the smartest thing to do.

I must say that I think that content providers are the weakest link. But I cannot be sure. It may be possible that the ISP network, especially their transit links, are the limiting factor. If anyone knows more about this, I'm interested.