Re: How fast can Linux-Firewalls be?
On Sat, 23 Feb 2002 15:10, Peter Billson wrote: > [EMAIL PROTECTED] wrote: > > What minimum characteristics would a Linux IP Masquerading Firewall > > Box need, to run a 100 Mbps link without slowing down traffic. > > There was some discussion last January (2001) about this type of > thing. The problem you will run into if you are using POTS Intel > hardware is the PCI bus speed, so you are going to have a tough time A 33MHz 32bit PCI bus can do 133MB/s in burst mode, a 66MHz bus allows 267MB/s, and a 66MHz 64bit bus (I've never seen a 64bit PCI network card so this is academic) can do up to 533MB/s. > filling one 100Mbs connection with an old Pentium - assuming an old > 66Mhz PCI bus. You can forget about filling two or more. Also, cheap No. Saturating a 100baseT (10MB/s) network link on an old Pentium is not a challenge. > NICs will do more to kill your max. throughput. Cheap NICs are unreliable, sometimes need to be reset to recover from hardware glitches (causing an interruption to traffic), and use more CPU time. If you have a sufficiently fast CPU and a small number of network cards then you'll probably get the same wire speed from cheap and expensive cards (apart from when the cheap card needs to be reset). If you want 6 network cards in a machine then you should get something half decent (clone Tulip card for example). > That being said, I run old Pentium 133s with 64Mb RAM in several > applications as routers and can notice no network latency on a 100BaseT > network, but I have never benchmarked the machines. Usually the My experience is that latency is noticable, but throughput remains the same. Compare pinging a P-133 vs pinging a 1.4GHz Athlon. You'll see a ping time difference, but you won't expect to see any real performance difference when routing through a couple of 100baseT network cards. But for firewalling the real issue is the number of firewall rules that have to be traversed. If each packet has to be checked against 1000 rules then even the newest Athlon machine may have problems. Have only 2 or 3 rules needed for most traffic and a Pentium will do the job. Make sure you order your rules so that the first rules traversed will be the most common ACCEPT rules. -- Signatures >4 lines are rude. If you send email to me or to a mailing list that I am subscribed to which has >4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message (the sig won't be read).
Re: How fast can Linux-Firewalls be?
On Sat, 23 Feb 2002 15:10, Peter Billson wrote: > [EMAIL PROTECTED] wrote: > > What minimum characteristics would a Linux IP Masquerading Firewall > > Box need, to run a 100 Mbps link without slowing down traffic. > > There was some discussion last January (2001) about this type of > thing. The problem you will run into if you are using POTS Intel > hardware is the PCI bus speed, so you are going to have a tough time A 33MHz 32bit PCI bus can do 133MB/s in burst mode, a 66MHz bus allows 267MB/s, and a 66MHz 64bit bus (I've never seen a 64bit PCI network card so this is academic) can do up to 533MB/s. > filling one 100Mbs connection with an old Pentium - assuming an old > 66Mhz PCI bus. You can forget about filling two or more. Also, cheap No. Saturating a 100baseT (10MB/s) network link on an old Pentium is not a challenge. > NICs will do more to kill your max. throughput. Cheap NICs are unreliable, sometimes need to be reset to recover from hardware glitches (causing an interruption to traffic), and use more CPU time. If you have a sufficiently fast CPU and a small number of network cards then you'll probably get the same wire speed from cheap and expensive cards (apart from when the cheap card needs to be reset). If you want 6 network cards in a machine then you should get something half decent (clone Tulip card for example). > That being said, I run old Pentium 133s with 64Mb RAM in several > applications as routers and can notice no network latency on a 100BaseT > network, but I have never benchmarked the machines. Usually the My experience is that latency is noticable, but throughput remains the same. Compare pinging a P-133 vs pinging a 1.4GHz Athlon. You'll see a ping time difference, but you won't expect to see any real performance difference when routing through a couple of 100baseT network cards. But for firewalling the real issue is the number of firewall rules that have to be traversed. If each packet has to be checked against 1000 rules then even the newest Athlon machine may have problems. Have only 2 or 3 rules needed for most traffic and a Pentium will do the job. Make sure you order your rules so that the first rules traversed will be the most common ACCEPT rules. -- Signatures >4 lines are rude. If you send email to me or to a mailing list that I am subscribed to which has >4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message (the sig won't be read). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How fast can Linux-Firewalls be?
[EMAIL PROTECTED] wrote: > What minimum characteristics would a Linux IP Masquerading Firewall > Box need, to run a 100 Mbps link without slowing down traffic. There was some discussion last January (2001) about this type of thing. The problem you will run into if you are using POTS Intel hardware is the PCI bus speed, so you are going to have a tough time filling one 100Mbs connection with an old Pentium - assuming an old 66Mhz PCI bus. You can forget about filling two or more. Also, cheap NICs will do more to kill your max. throughput. That being said, I run old Pentium 133s with 64Mb RAM in several applications as routers and can notice no network latency on a 100BaseT network, but I have never benchmarked the machines. Usually the bottlenecks are elsewhere - i.e. server hard drive throughput. Packet routing, filtering, masquerading really doesn't require much CPU horsepower. > With two old Pentium boxes and Debian, I could set up a Firewall and a > network traffic watcher within a few hours, thus relieving some > tecnical flaws of the University Network. Linux. World domination... fast. Pete Billson -- http://www.elbnet.com ELB Internet Services, Inc. Web Design, Computer Consulting, Internet Hosting
Re: How fast can Linux-Firewalls be?
[EMAIL PROTECTED] wrote: > What minimum characteristics would a Linux IP Masquerading Firewall > Box need, to run a 100 Mbps link without slowing down traffic. There was some discussion last January (2001) about this type of thing. The problem you will run into if you are using POTS Intel hardware is the PCI bus speed, so you are going to have a tough time filling one 100Mbs connection with an old Pentium - assuming an old 66Mhz PCI bus. You can forget about filling two or more. Also, cheap NICs will do more to kill your max. throughput. That being said, I run old Pentium 133s with 64Mb RAM in several applications as routers and can notice no network latency on a 100BaseT network, but I have never benchmarked the machines. Usually the bottlenecks are elsewhere - i.e. server hard drive throughput. Packet routing, filtering, masquerading really doesn't require much CPU horsepower. > With two old Pentium boxes and Debian, I could set up a Firewall and a > network traffic watcher within a few hours, thus relieving some > tecnical flaws of the University Network. Linux. World domination... fast. Pete Billson -- http://www.elbnet.com ELB Internet Services, Inc. Web Design, Computer Consulting, Internet Hosting -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
How fast can Linux-Firewalls be?
Hello! I know that there has been some discussion on the list about this, but I could not find it: What minimum characteristics would a Linux IP Masquerading Firewall Box need, to run a 100 Mbps link without slowing down traffic. What is the maximum bandwidth you can get with a Linux based Gateway/Firewall/Router? What if I use two (three...) outgoing 100Mbps lines? BTW: The Nacional Tecnical University hired me to recently to help propose future ICT Development. With two old Pentium boxes and Debian, I could set up a Firewall and a network traffic watcher within a few hours, thus relieving some tecnical flaws of the University Network. Debian is great! Practically any message on this list has been helping, informative and inspirating. Thanks to you. Best Regards Jorge-León
How fast can Linux-Firewalls be?
Hello! I know that there has been some discussion on the list about this, but I could not find it: What minimum characteristics would a Linux IP Masquerading Firewall Box need, to run a 100 Mbps link without slowing down traffic. What is the maximum bandwidth you can get with a Linux based Gateway/Firewall/Router? What if I use two (three...) outgoing 100Mbps lines? BTW: The Nacional Tecnical University hired me to recently to help propose future ICT Development. With two old Pentium boxes and Debian, I could set up a Firewall and a network traffic watcher within a few hours, thus relieving some tecnical flaws of the University Network. Debian is great! Practically any message on this list has been helping, informative and inspirating. Thanks to you. Best Regards Jorge-León -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]