tuning.7 revision 87463
1.hlm 0 2.\" Copyright (c) 2001, Matthew Dillon. Terms and conditions are those of 3.\" the BSD Copyright as specified in the file "/usr/src/COPYRIGHT" in 4.\" the source tree. 5.\" 6.\" $FreeBSD: head/share/man/man7/tuning.7 87463 2001-12-06 20:27:44Z rwatson $ 7.\" 8.Dd May 25, 2001 9.Dt TUNING 7 10.Os 11.Sh NAME 12.Nm tuning 13.Nd performance tuning under FreeBSD 14.Sh SYSTEM SETUP - DISKLABEL, NEWFS, TUNEFS, SWAP 15When using 16.Xr disklabel 8 17to lay out your filesystems on a hard disk it is important to remember 18that hard drives can transfer data much more quickly from outer tracks 19than they can from inner tracks. 20To take advantage of this you should 21try to pack your smaller filesystems and swap closer to the outer tracks, 22follow with the larger filesystems, and end with the largest filesystems. 23It is also important to size system standard filesystems such that you 24will not be forced to resize them later as you scale the machine up. 25I usually create, in order, a 128M root, 1G swap, 128M 26.Pa /var , 27128M 28.Pa /var/tmp , 293G 30.Pa /usr , 31and use any remaining space for 32.Pa /home . 33.Pp 34You should typically size your swap space to approximately 2x main memory. 35If you do not have a lot of RAM, though, you will generally want a lot 36more swap. 37It is not recommended that you configure any less than 38256M of swap on a system and you should keep in mind future memory 39expansion when sizing the swap partition. 40The kernel's VM paging algorithms are tuned to perform best when there is 41at least 2x swap versus main memory. 42Configuring too little swap can lead 43to inefficiencies in the VM page scanning code as well as create issues 44later on if you add more memory to your machine. 45Finally, on larger systems 46with multiple SCSI disks (or multiple IDE disks operating on different 47controllers), we strongly recommend that you configure swap on each drive 48(up to four drives). 49The swap partitions on the drives should be approximately the same size. 50The kernel can handle arbitrary sizes but 51internal data structures scale to 4 times the largest swap partition. 52Keeping 53the swap partitions near the same size will allow the kernel to optimally 54stripe swap space across the N disks. 55Don't worry about overdoing it a 56little, swap space is the saving grace of 57.Ux 58and even if you don't normally use much swap, it can give you more time to 59recover from a runaway program before being forced to reboot. 60.Pp 61How you size your 62.Pa /var 63partition depends heavily on what you intend to use the machine for. 64This 65partition is primarily used to hold mailboxes, the print spool, and log 66files. 67Some people even make 68.Pa /var/log 69its own partition (but except for extreme cases it isn't worth the waste 70of a partition ID). 71If your machine is intended to act as a mail 72or print server, 73or you are running a heavily visited web server, you should consider 74creating a much larger partition \(en perhaps a gig or more. 75It is very easy 76to underestimate log file storage requirements. 77.Pp 78Sizing 79.Pa /var/tmp 80depends on the kind of temporary file usage you think you will need. 81128M is 82the minimum we recommend. 83Also note that sysinstall will create a 84.Pa /tmp 85directory, but it is usually a good idea to make 86.Pa /tmp 87a softlink to 88.Pa /var/tmp 89after the fact. 90Dedicating a partition for temporary file storage is important for 91two reasons: first, it reduces the possibility of filesystem corruption 92in a crash, and second it reduces the chance of a runaway process that 93fills up 94.Oo Pa /var Oc Ns Pa /tmp 95from blowing up more critical subsystems (mail, 96logging, etc). 97Filling up 98.Oo Pa /var Oc Ns Pa /tmp 99is a very common problem to have. 100.Pp 101In the old days there were differences between 102.Pa /tmp 103and 104.Pa /var/tmp , 105but the introduction of 106.Pa /var 107(and 108.Pa /var/tmp ) 109led to massive confusion 110by program writers so today programs haphazardly use one or the 111other and thus no real distinction can be made between the two. 112So it makes sense to have just one temporary directory. 113However you handle 114.Pa /tmp , 115the one thing you do not want to do is leave it sitting 116on the root partition where it might cause root to fill up or possibly 117corrupt root in a crash/reboot situation. 118.Pp 119The 120.Pa /usr 121partition holds the bulk of the files required to support the system and 122a subdirectory within it called 123.Pa /usr/local 124holds the bulk of the files installed from the 125.Xr ports 7 126hierarchy. 127If you do not use ports all that much and do not intend to keep 128system source 129.Pq Pa /usr/src 130on the machine, you can get away with 131a 1 gigabyte 132.Pa /usr 133partition. 134However, if you install a lot of ports 135(especially window managers and linux-emulated binaries), we recommend 136at least a 2 gigabyte 137.Pa /usr 138and if you also intend to keep system source 139on the machine, we recommend a 3 gigabyte 140.Pa /usr . 141Do not underestimate the 142amount of space you will need in this partition, it can creep up and 143surprise you! 144.Pp 145The 146.Pa /home 147partition is typically used to hold user-specific data. 148I usually size it to the remainder of the disk. 149.Pp 150Why partition at all? 151Why not create one big 152.Pa / 153partition and be done with it? 154Then I don't have to worry about undersizing things! 155Well, there are several reasons this isn't a good idea. 156First, 157each partition has different operational characteristics and separating them 158allows the filesystem to tune itself to those characteristics. 159For example, 160the root and 161.Pa /usr 162partitions are read-mostly, with very little writing, while 163a lot of reading and writing could occur in 164.Pa /var 165and 166.Pa /var/tmp . 167By properly 168partitioning your system fragmentation introduced in the smaller more 169heavily write-loaded partitions will not bleed over into the mostly-read 170partitions. 171Additionally, keeping the write-loaded partitions closer to 172the edge of the disk (i.e. before the really big partitions instead of after 173in the partition table) will increase I/O performance in the partitions 174where you need it the most. 175Now it is true that you might also need I/O 176performance in the larger partitions, but they are so large that shifting 177them more towards the edge of the disk will not lead to a significant 178performance improvement whereas moving 179.Pa /var 180to the edge can have a huge impact. 181Finally, there are safety concerns. 182Having a small neat root partition that 183is essentially read-only gives it a greater chance of surviving a bad crash 184intact. 185.Pp 186Properly partitioning your system also allows you to tune 187.Xr newfs 8 , 188and 189.Xr tunefs 8 190parameters. 191Tuning 192.Xr newfs 8 193requires more experience but can lead to significant improvements in 194performance. 195There are three parameters that are relatively safe to tune: 196.Em blocksize , bytes/inode , 197and 198.Em cylinders/group . 199.Pp 200.Fx 201performs best when using 8K or 16K filesystem block sizes. 202The default filesystem block size is 8K. 203For larger partitions it is usually a good 204idea to use a 16K block size. 205This also requires you to specify a larger 206fragment size. 207We recommend always using a fragment size that is 1/8 208the block size (less testing has been done on other fragment size factors). 209The 210.Xr newfs 8 211options for this would be 212.Dq Li "newfs -f 2048 -b 16384 ..." . 213Using a larger block size can cause fragmentation of the buffer cache and 214lead to lower performance. 215.Pp 216If a large partition is intended to be used to hold fewer, larger files, such 217as a database files, you can increase the 218.Em bytes/inode 219ratio which reduces the number of inodes (maximum number of files and 220directories that can be created) for that partition. 221Decreasing the number 222of inodes in a filesystem can greatly reduce 223.Xr fsck 8 224recovery times after a crash. 225Do not use this option 226unless you are actually storing large files on the partition, because if you 227overcompensate you can wind up with a filesystem that has lots of free 228space remaining but cannot accommodate any more files. 229Using 32768, 65536, or 262144 bytes/inode is recommended. 230You can go higher but 231it will have only incremental effects on 232.Xr fsck 8 233recovery times. 234For example, 235.Dq Li "newfs -i 32768 ..." . 236.Pp 237Finally, increasing the 238.Em cylinders/group 239ratio has the effect of packing the inodes closer together. 240This can increase directory performance and also decrease 241.Xr fsck 8 242times. 243If you use this option at all, we recommend maxing it out. 244Use 245.Dq Li "newfs -c 999" 246and 247.Xr newfs 8 248will error out and tell you what the maximum is, then use that. 249.Pp 250.Xr tunefs 8 251may be used to further tune a filesystem. 252This command can be run in 253single-user mode without having to reformat the filesystem. 254However, this is possibly the most abused program in the system. 255Many people attempt to 256increase available filesystem space by setting the min-free percentage to 0. 257This can lead to severe filesystem fragmentation and we do not recommend 258that you do this. 259Really the only 260.Xr tunefs 8 261option worthwhile here is turning on 262.Em softupdates 263with 264.Dq Li "tunefs -n enable /filesystem" . 265(Note: in 266.Fx 2675.x 268softupdates can be turned on using the 269.Fl U 270option to 271.Xr newfs 8 ) . 272Softupdates drastically improves meta-data performance, mainly file 273creation and deletion. 274We recommend enabling softupdates on all of your 275filesystems. 276There are two downsides to softupdates that you should be 277aware of. 278First, softupdates guarantees filesystem consistency in the 279case of a crash but could very easily be several seconds (even a minute!) 280behind updating the physical disk. 281If you crash you may lose more work 282than otherwise. 283Secondly, softupdates delays the freeing of filesystem 284blocks. 285If you have a filesystem (such as the root filesystem) which is 286close to full, doing a major update of it, e.g.\& 287.Dq Li "make installworld" , 288can run it out of space and cause the update to fail. 289.Pp 290A number of run-time 291.Xr mount 8 292options exist that can help you tune the system. 293The most obvious and most dangerous one is 294.Cm async . 295Don't ever use it, it is far too dangerous. 296A less dangerous and more 297useful 298.Xr mount 8 299option is called 300.Cm noatime . 301.Ux 302filesystems normally update the last-accessed time of a file or 303directory whenever it is accessed. 304This operation is handled in 305.Fx 306with a delayed write and normally does not create a burden on the system. 307However, if your system is accessing a huge number of files on a continuing 308basis the buffer cache can wind up getting polluted with atime updates, 309creating a burden on the system. 310For example, if you are running a heavily 311loaded web site, or a news server with lots of readers, you might want to 312consider turning off atime updates on your larger partitions with this 313.Xr mount 8 314option. 315However, you should not gratuitously turn off atime 316updates everywhere. 317For example, the 318.Pa /var 319filesystem customarily 320holds mailboxes, and atime (in combination with mtime) is used to 321determine whether a mailbox has new mail. 322You might as well leave 323atime turned on for mostly read-only partitions such as 324.Pa / 325and 326.Pa /usr 327as well. 328This is especially useful for 329.Pa / 330since some system utilities 331use the atime field for reporting. 332.Sh STRIPING DISKS 333In larger systems you can stripe partitions from several drives together 334to create a much larger overall partition. 335Striping can also improve 336the performance of a filesystem by splitting I/O operations across two 337or more disks. 338The 339.Xr vinum 8 340and 341.Xr ccdconfig 8 342utilities may be used to create simple striped filesystems. 343Generally 344speaking, striping smaller partitions such as the root and 345.Pa /var/tmp , 346or essentially read-only partitions such as 347.Pa /usr 348is a complete waste of time. 349You should only stripe partitions that require serious I/O performance, 350typically 351.Pa /var , /home , 352or custom partitions used to hold databases and web pages. 353Choosing the proper stripe size is also 354important. 355Filesystems tend to store meta-data on power-of-2 boundaries 356and you usually want to reduce seeking rather than increase seeking. 357This 358means you want to use a large off-center stripe size such as 1152 sectors 359so sequential I/O does not seek both disks and so meta-data is distributed 360across both disks rather than concentrated on a single disk. 361If 362you really need to get sophisticated, we recommend using a real hardware 363RAID controller from the list of 364.Fx 365supported controllers. 366.Sh SYSCTL TUNING 367There are several hundred 368.Xr sysctl 8 369variables in the system, including many that appear to be candidates for 370tuning but actually aren't. 371In this document we will only cover the ones 372that have the greatest effect on the system. 373.Pp 374The 375.Va kern.ipc.shm_use_phys 376sysctl defaults to 0 (off) and may be set to 0 (off) or 1 (on). 377Setting 378this parameter to 1 will cause all System V shared memory segments to be 379mapped to unpageable physical RAM. 380This feature only has an effect if you 381are either (A) mapping small amounts of shared memory across many (hundreds) 382of processes, or (B) mapping large amounts of shared memory across any 383number of processes. 384This feature allows the kernel to remove a great deal 385of internal memory management page-tracking overhead at the cost of wiring 386the shared memory into core, making it unswappable. 387.Pp 388The 389.Va vfs.vmiodirenable 390sysctl defaults to 1 (on). 391This parameter controls how directories are cached 392by the system. 393Most directories are small and use but a single fragment 394(typically 1K) in the filesystem and even less (typically 512 bytes) in 395the buffer cache. 396However, when operating in the default mode the buffer 397cache will only cache a fixed number of directories even if you have a huge 398amount of memory. 399Turning on this sysctl allows the buffer cache to use 400the VM Page Cache to cache the directories. 401The advantage is that all of 402memory is now available for caching directories. 403The disadvantage is that 404the minimum in-core memory used to cache a directory is the physical page 405size (typically 4K) rather than 512 bytes. 406We recommend turning this option off in memory-constrained environments; 407however, when on, it will substantially improve the performance of services 408which manipulate large numbers of files. 409Such services can include web caches, large mail systems, and news systems. 410Turning on this option will generally not reduce performance even with the 411wasted memory but you should experiment to find out. 412.Pp 413There are various buffer-cache and VM page cache related sysctls. 414We do not recommend modifying those values. 415As of 416.Fx 4.3 , 417the VM system does an extremely good job tuning itself. 418.Pp 419The 420.Va net.inet.tcp.sendspace 421and 422.Va net.inet.tcp.recvspace 423sysctls are of particular interest if you are running network intensive 424applications. 425This controls the amount of send and receive buffer space 426allowed for any given TCP connection. 427The default sending buffer is 32k; the default receiving buffer 428is 64k. 429You can often 430improve bandwidth utilization by increasing the default at the cost of 431eating up more kernel memory for each connection. 432We do not recommend 433increasing the defaults if you are serving hundreds or thousands of 434simultaneous connections because it is possible to quickly run the system 435out of memory due to stalled connections building up. 436But if you need 437high bandwidth over a fewer number of connections, especially if you have 438gigabit ethernet, increasing these defaults can make a huge difference. 439You can adjust the buffer size for incoming and outgoing data separately. 440For example, if your machine is primarily doing web serving you may want 441to decrease the recvspace in order to be able to increase the 442sendspace without eating too much kernel memory. 443Note that the routing table (see 444.Xr route 8 ) 445can be used to introduce route-specific send and receive buffer size 446defaults. 447.Pp 448As an additional management tool you can use pipes in your 449firewall rules (see 450.Xr ipfw 8 ) 451to limit the bandwidth going to or from particular IP blocks or ports. 452For example, if you have a T1 you might want to limit your web traffic 453to 70% of the T1's bandwidth in order to leave the remainder available 454for mail and interactive use. 455Normally a heavily loaded web server 456will not introduce significant latencies into other services even if 457the network link is maxed out, but enforcing a limit can smooth things 458out and lead to longer term stability. 459Many people also enforce artificial 460bandwidth limitations in order to ensure that they are not charged for 461using too much bandwidth. 462.Pp 463Setting the send or receive TCP buffer to values larger then 65535 will result 464in a marginal performance improvement unless both hosts support the window 465scaling extension of the TCP protocol, which is controlled by the 466.Va net.inet.tcp.rfc1323 467sysctl. 468These extensions should be enabled and the TCP buffer size should be set 469to a value larger than 65536 in order to obtain good performance out of 470certain types of network links; specifically, gigabit WAN links and 471high-latency satellite links. 472.Pp 473The 474.Va net.inet.tcp.always_keepalive 475sysctl determines whether or not the TCP implementation should attempt 476to detect dead TCP connections by intermittently delivering "keepalives" 477on the connection. 478By default, this is enabled for all applications; by setting this 479sysctl to 0, only applications that specifically request keepalives 480will use them. 481In most environments, TCP keepalives will improve the management of 482system state by expiring dead TCP connections, particularly for 483systems serving dialup users who may not always terminate individual 484TCP connections before disconnecting from the network. 485However, in some environments, temporary network outages may be 486incorrectly identified as dead sessions, resulting in unexpectedly 487terminated TCP connections. 488In such environments, setting the sysctl to 0 may reduce the occurrence of 489TCP session disconnections. 490.Pp 491The 492.Va kern.ipc.somaxconn 493sysctl limits the size of the listen queue for accepting new TCP connections. 494The default value of 128 is typically too low for robust handling of new 495connections in a heavily loaded web server environment. 496For such environments, 497we recommend increasing this value to 1024 or higher. 498The service daemon 499may itself limit the listen queue size (e.g.\& 500.Xr sendmail 8 , 501apache) but will 502often have a directive in its configuration file to adjust the queue size up. 503Larger listen queues also do a better job of fending off denial of service 504attacks. 505.Pp 506The 507.Va kern.maxfiles 508sysctl determines how many open files the system supports. 509The default is 510typically a few thousand but you may need to bump this up to ten or twenty 511thousand if you are running databases or large descriptor-heavy daemons. 512.Pp 513The 514.Va vm.swap_idle_enabled 515sysctl is useful in large multi-user systems where you have lots of users 516entering and leaving the system and lots of idle processes. 517Such systems 518tend to generate a great deal of continuous pressure on free memory reserves. 519Turning this feature on and adjusting the swapout hysteresis (in idle 520seconds) via 521.Va vm.swap_idle_threshold1 522and 523.Va vm.swap_idle_threshold2 524allows you to depress the priority of pages associated with idle processes 525more quickly then the normal pageout algorithm. 526This gives a helping hand 527to the pageout daemon. 528Do not turn this option on unless you need it, 529because the tradeoff you are making is to essentially pre-page memory sooner 530rather then later, eating more swap and disk bandwidth. 531In a small system 532this option will have a detrimental effect but in a large system that is 533already doing moderate paging this option allows the VM system to stage 534whole processes into and out of memory more easily. 535.Sh LOADER TUNABLES 536Some aspects of the system behavior may not be tunable at runtime because 537memory allocations they perform must occur early in the boot process. 538To change loader tunables, you must set their value in 539.Xr loader.conf 5 540and reboot the system. 541.Pp 542The 543.Va kern.maxusers 544tunable defaults to an incredibly low value. 545For most modern machines, 546you probably want to increase this value to 64, 128, or 256. 547We do not 548recommend going above 256 unless you need a huge number of file descriptors. 549Network buffers are also affected but can be controlled with a separate 550kernel option. 551Do not increase maxusers just to get more network mbufs. 552Systems older than 553.Fx 4.4 554do not have this loader tunable and require that 555the kernel 556.Xr config 8 557option 558.Cd maxusers 559be set instead. 560.Pp 561.Va kern.ipc.nmbclusters 562may be adjusted to increase the number of network mbufs the system is 563willing to allocate. 564Each cluster represents approximately 2K of memory, 565so a value of 1024 represents 2M of kernel memory reserved for network 566buffers. 567You can do a simple calculation to figure out how many you need. 568If you have a web server which maxes out at 1000 simultaneous connections, 569and each connection eats a 16K receive and 16K send buffer, you need 570approximate 32MB worth of network buffers to deal with it. 571A good rule of 572thumb is to multiply by 2, so 32MBx2 = 64MB/2K = 32768. 573So for this case 574you would want to set 575.Va kern.ipc.nmbclusters 576to 32768. 577We recommend values between 5781024 and 4096 for machines with moderates amount of memory, and between 4096 579and 32768 for machines with greater amounts of memory. 580Under no circumstances 581should you specify an arbitrarily high value for this parameter, it could 582lead to a boot-time crash. 583The 584.Fl m 585option to 586.Xr netstat 1 587may be used to observe network cluster use. 588Older versions of 589.Fx 590do not have this tunable and require that the 591kernel 592.Xr config 8 593option 594.Dv NMBCLUSTERS 595be set instead. 596.Pp 597More and more programs are using the 598.Xr sendfile 2 599system call to transmit files over the network. 600The 601.Va kern.ipc.nsfbufs 602sysctl controls the number of filesystem buffers 603.Xr sendfile 2 604is allowed to use to perform its work. 605This parameter nominally scales 606with 607.Va kern.maxusers 608so you should not need to modify this parameter except under extreme 609circumstances. 610.Sh KERNEL CONFIG TUNING 611There are a number of kernel options that you may have to fiddle with in 612a large scale system. 613In order to change these options you need to be 614able to compile a new kernel from source. 615The 616.Xr config 8 617manual page and the handbook are good starting points for learning how to 618do this. 619Generally the first thing you do when creating your own custom 620kernel is to strip out all the drivers and services you don't use. 621Removing things like 622.Dv INET6 623and drivers you don't have will reduce the size of your kernel, sometimes 624by a megabyte or more, leaving more memory available for applications. 625.Pp 626.Dv SCSI_DELAY 627and 628.Dv IDE_DELAY 629may be used to reduce system boot times. 630The defaults are fairly high and 631can be responsible for 15+ seconds of delay in the boot process. 632Reducing 633.Dv SCSI_DELAY 634to 5 seconds usually works (especially with modern drives). 635Reducing 636.Dv IDE_DELAY 637also works but you have to be a little more careful. 638.Pp 639There are a number of 640.Dv *_CPU 641options that can be commented out. 642If you only want the kernel to run 643on a Pentium class CPU, you can easily remove 644.Dv I386_CPU 645and 646.Dv I486_CPU , 647but only remove 648.Dv I586_CPU 649if you are sure your CPU is being recognized as a Pentium II or better. 650Some clones may be recognized as a Pentium or even a 486 and not be able 651to boot without those options. 652If it works, great! 653The operating system 654will be able to better-use higher-end CPU features for MMU, task switching, 655timebase, and even device operations. 656Additionally, higher-end CPUs support 6574MB MMU pages which the kernel uses to map the kernel itself into memory, 658which increases its efficiency under heavy syscall loads. 659.Sh IDE WRITE CACHING 660.Fx 4.3 661flirted with turning off IDE write caching. 662This reduced write bandwidth 663to IDE disks but was considered necessary due to serious data consistency 664issues introduced by hard drive vendors. 665Basically the problem is that 666IDE drives lie about when a write completes. 667With IDE write caching turned 668on, IDE hard drives will not only write data to disk out of order, they 669will sometimes delay some of the blocks indefinitely when under heavy disk 670loads. 671A crash or power failure can result in serious filesystem 672corruption. 673So our default was changed to be safe. 674Unfortunately, the 675result was such a huge loss in performance that we caved in and changed the 676default back to on after the release. 677You should check the default on 678your system by observing the 679.Va hw.ata.wc 680sysctl variable. 681If IDE write caching is turned off, you can turn it back 682on by setting the 683.Va hw.ata.wc 684kernel variable back to 1. 685This must be done from the boot 686.Xr loader 8 687at boot time. 688Attempting to do it after the kernel boots will have no effect. 689Please see 690.Xr ata 4 691and 692.Xr loader 8 . 693.Pp 694There is a new experimental feature for IDE hard drives called 695.Va hw.ata.tags 696(you also set this in the boot loader) which allows write caching to be safely 697turned on. 698This brings SCSI tagging features to IDE drives. 699As of this 700writing only IBM DPTA and DTLA drives support the feature. 701Warning! 702These 703drives apparently have quality control problems and I do not recommend 704purchasing them at this time. 705If you need performance, go with SCSI. 706.Sh CPU, MEMORY, DISK, NETWORK 707The type of tuning you do depends heavily on where your system begins to 708bottleneck as load increases. 709If your system runs out of CPU (idle times 710are perpetually 0%) then you need to consider upgrading the CPU or moving to 711an SMP motherboard (multiple CPU's), or perhaps you need to revisit the 712programs that are causing the load and try to optimize them. 713If your system 714is paging to swap a lot you need to consider adding more memory. 715If your 716system is saturating the disk you typically see high CPU idle times and 717total disk saturation. 718.Xr systat 1 719can be used to monitor this. 720There are many solutions to saturated disks: 721increasing memory for caching, mirroring disks, distributing operations across 722several machines, and so forth. 723If disk performance is an issue and you 724are using IDE drives, switching to SCSI can help a great deal. 725While modern 726IDE drives compare with SCSI in raw sequential bandwidth, the moment you 727start seeking around the disk SCSI drives usually win. 728.Pp 729Finally, you might run out of network suds. 730The first line of defense for 731improving network performance is to make sure you are using switches instead 732of hubs, especially these days where switches are almost as cheap. 733Hubs 734have severe problems under heavy loads due to collision backoff and one bad 735host can severely degrade the entire LAN. 736Second, optimize the network path 737as much as possible. 738For example, in 739.Xr firewall 7 740we describe a firewall protecting internal hosts with a topology where 741the externally visible hosts are not routed through it. 742Use 100BaseT rather 743than 10BaseT, or use 1000BaseT rather then 100BaseT, depending on your needs. 744Most bottlenecks occur at the WAN link (e.g.\& 745modem, T1, DSL, whatever). 746If expanding the link is not an option it may be possible to use 747.Xr dummynet 4 748feature to implement peak shaving or other forms of traffic shaping to 749prevent the overloaded service (such as web services) from affecting other 750services (such as email), or vice versa. 751In home installations this could 752be used to give interactive traffic (your browser, 753.Xr ssh 1 754logins) priority 755over services you export from your box (web services, email). 756.Sh SEE ALSO 757.Xr netstat 1 , 758.Xr systat 1 , 759.Xr ata 4 , 760.Xr dummynet 4 , 761.Xr login.conf 5 , 762.Xr firewall 7 , 763.Xr hier 7 , 764.Xr ports 7 , 765.Xr boot 8 , 766.Xr ccdconfig 8 , 767.Xr config 8 , 768.Xr disklabel 8 , 769.Xr fsck 8 , 770.Xr ifconfig 8 , 771.Xr ipfw 8 , 772.Xr loader 8 , 773.Xr mount 8 , 774.Xr newfs 8 , 775.Xr route 8 , 776.Xr sysctl 8 , 777.Xr tunefs 8 , 778.Xr vinum 8 779.Sh HISTORY 780The 781.Nm 782manual page was originally written by 783.An Matthew Dillon 784and first appeared 785in 786.Fx 4.3 , 787May 2001. 788