On Thu, Apr 18, 2002 at 10:12:56AM -0400, Michael Montero wrote: > All, I run BlackPlanet.com - one of the top 20 largest sites on the > Internet. We're all open source (PHP, Apache, Linux, etc.) but currently > pay about 50K for commercial firewall boxes. From a strictly performance > standpoint, does anyone have any opinions about trying to put a Linux box > running iptables in as one of our firewalls (assuming we could get all the > rules matching that are on the current firewalls)? > > My main concern is with performance. We push A LOT of traffic - about 800 > million page views per month. At peak we're pushing about 200 megabits > per second.
The 200mbits in production shouldn't be a problem if running on reasonable dual SMP boxes with reasonable gbit-ethernet boards. However, the situation looks totally different as soon as somebody is flooding you with 200MBit full of 64byte packets - or even worse crafting particular floods which attack the conntrack hash function, ... > I believe we can get all the rules in place and it would be magnificent to > cut our costs from 50K per firewall to ~2K. We have 3 in production and > a few more for redundancy would be wonderful - just not willing to pay the > price. Failover / load sharing is something you have to be cautious about. As soon as you use connection tracking, you cannot do failover without loosing all connection tracking state (which _could_ be acceptable if it's only short-lived http connections, but still..). In any case you are taking this further, I strongly recommend to contract some consultant who is familiar with bigger netfilter/iptables based setups, since there can be a lot of tweaks/... > Michael C. Montero > Chief Technology Officer > Community Connect Inc. Co-founder -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
