* Florin Andrei <[EMAIL PROTECTED]> [2007-10-09 22:54]: > Henning Brauer wrote: >> * Florin Andrei <[EMAIL PROTECTED]> [2007-10-09 19:34]: >>>> then, an i386 kernel should perform considerably better than amd64 for >>>> firewalling/routing/... >>> That is surprising. What is the reason? >> we dunno really. it hasn't been benched in sometimesoit might not even be >> true nay more, but last time the difference was dramatic. > > Then I will do some tests with 4.2 on gigabit-capable hardware. If anything > noteworthy comes out, I'll post the results. > Don't expect something too fancy, but I guess anything is better than > nothing. > >>> How much RAM can the i386 kernel use on an amd64 machine? >> 4GB minus pci space > > Hmmm. > > Please correct me if I'm wrong: > Let's say a firewall is connected to a pretty fast Internet pipe (in the > gigabit range). Let's say there's a DDoS against this environment. In > theory, the firewall would need lots of RAM so that it can deal with the > incoming nasty packets, create an entry for each packet in the state table > (don't know the correct name for it in OpenBSD, sorry), then expire it > after a while. > In theory, the firewall could be tweaked to expire unused states quickly, > but still, more RAM is better when dealing with a DDoS.
nope. the kernel will not ever use more than 1 GB (or were it 768MB? memory fuzzy). more than 1 GB of memory on a firewall even hurts.ok, not much. but a bit. > What's still not clear to me is how much RAM I should provision per 1Gb of > bandwidth on OpenBSD, assuming there's an incoming worst-case-scenario > DDoS, that consumes RAM (and other resources) on the firewall yet leaves > some bandwidth open for legitimate traffic (so the firewall must be able to > continue to let the good traffic pass through). Also assuming some tweaking > has been done on the firewall to expire the bad stuff quickly without > affecting legitimate traffic. RAM is not your concern on a firewall. >>> If the SMP kernel does not actually hurt performance, I might have to use >>> it. >> it does. seriously. locking is not free. > > Aw, damn. I was hoping that's not quite the case. > > Well, then hopefully the dynamic routing daemons won't get too greedy and > DoS the firewall from within. :-) no, they won't. they only get the cpu cycles not required for packet forwarding (well, interrupts + softint handling really) anyway. > Or I may have to re-think the whole > environment and forget the idea of doing any kind of dynamic routing on the > firewall - from a security perspective, dynamic routing on the firewall > sucks anyway. no, not really, not if done right. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam