On Mon, Dec 21, 2009 at 12:04:32PM +0200, sadas sadas wrote:
>
>>Some months ago there was discussions about 10 gbit performance with
>>Linux. Some guys were pushing over 70 Gbit/sec through a single linux
>>box.
>
>70 Gbit/sec ? Maybe with port
>aggravation it's possible.
thus Pasi Kärkkäinen spake:
> On Mon, Dec 21, 2009 at 10:17:48AM +0100, Timo Schoeler wrote:
>> thus Pasi Kärkkäinen spake:
>>> On Fri, Dec 18, 2009 at 09:36:57PM +0200, sadas sadas wrote:
I will explain more deeply. I need to deploy a firewall(s) in front of
web
server farm b
>Some months ago there was discussions about 10 gbit performance with
>Linux. Some guys were pushing over 70 Gbit/sec through a single linux
>box.
70 Gbit/sec ? Maybe with port aggravation it's possible. Can you give some
more info about that guys. To achieve that hight throughput maybe
On Mon, Dec 21, 2009 at 10:17:48AM +0100, Timo Schoeler wrote:
> thus Pasi Kärkkäinen spake:
> > On Fri, Dec 18, 2009 at 09:36:57PM +0200, sadas sadas wrote:
> >>I will explain more deeply. I need to deploy a firewall(s) in front of
> >> web
> >>server farm because I need to do billing - I
Pasi Kärkkäinen wrote:
> Some months ago there was discussions about 10 gbit performance with
> Linux. Some guys were pushing over 70 Gbit/sec through a single linux
> box.
>
> Not sure if firewalling was enabled.. most probably not.
>
what I see consistently with iptables is people writing far
thus Pasi Kärkkäinen spake:
> On Fri, Dec 18, 2009 at 09:36:57PM +0200, sadas sadas wrote:
>>I will explain more deeply. I need to deploy a firewall(s) in front of web
>>server farm because I need to do billing - I will use CentOS with iptables
>>+ ipset to store a list if my clients so
>I've been using Linux (CentOS5) on gigabit firewalls, for thousands of
>users. No problems.
>
>Just make sure ip_conntrack_max is big enough, so you don't run out of
>connections.
>
>There are other things to tune to optimize the performance, but it's
>certainly doable with linux+ipta
On Sun, Dec 20, 2009 at 09:58:19AM -0800, nate wrote:
> RedShift wrote:
>
> > Have you got some figures to back that up? Everybody's saying OpenBSD's pf
> > performance is superior, yet nobody has posted some proof.
>
> Not sure myself, keep in mind that there are (at least) two different
> ways
On Fri, Dec 18, 2009 at 09:36:57PM +0200, sadas sadas wrote:
>I will explain more deeply. I need to deploy a firewall(s) in front of web
>server farm because I need to do billing - I will use CentOS with iptables
>+ ipset to store a list if my clients so when client doesn't pay his
>
RedShift wrote:
> On 12/20/09 16:22, Chan Chung Hang Christopher wrote:
>> Les Mikesell wrote:
>>> Timo Schoeler wrote:
> What about NetBSD? I heard that NetBSD has the best network stack out
> there. Maybe NetBSD with pf is the best choice?
NetBSD is a very nice OS, I personally like
Les Mikesell wrote:
> Chan Chung Hang Christopher wrote:
>> That part about high-core speed for OpenBSD pf is definitely on. The
>> multi-processor part...not too sure. Maybe with NUMA systems like what
>> you get on AMD Opteron platforms.
>>
>
> Don't both iptables and pf bypass the filters for
rai...@ultra-secure.de wrote:
>> I've got a garage full of tools at my disposal. However, for the task at
>> hand, which is nailing a nail, there is no tool more appropriate than the
>> aforementioned hammer.
>
>
> Yeah, but the original poster's only tool seems to be the CentOS
> sledge-hammer.
Peter Serwe wrote:
> This thread is like a bad joke. You've been given the answer 37 times
> by 23 people.
>
And yet, none of those responses provided any objective measurements or links
to
test results. Not only were most just opinions, many said the opinions were
based on first impressio
> I've got a garage full of tools at my disposal. However, for the task at
> hand, which is nailing a nail, there is no tool more appropriate than the
> aforementioned hammer.
Yeah, but the original poster's only tool seems to be the CentOS
sledge-hammer.
I could understand him if the answer to
I've got a garage full of tools at my disposal. However, for the task at
hand, which is nailing a nail, there is no tool more appropriate than the
aforementioned hammer.
Peter
On Sun, Dec 20, 2009 at 12:50 PM, wrote:
> > This thread is like a bad joke. You've been given the answer 37 times by
> This thread is like a bad joke. You've been given the answer 37 times by
> 23
> people.
>
> Harrow?!!
>
Well, if all you've got is a hammer, everything will begin to look like a
nail.
Doesn't it?
;-)
Rainer
___
CentOS mailing list
CentOS@centos.or
This thread is like a bad joke. You've been given the answer 37 times by 23
people.
Harrow?!!
Peter
On Sun, Dec 20, 2009 at 8:10 AM, sadas sadas wrote:
> What solution for gigabit firewall can you suggest? Witch OS and packet
> filter is capable to atcheave hight performance and gigabit speed
On Fri, Dec 18, 2009 at 12:06 PM, nate wrote:
> iptables makes a TERRIBLE firewall, use pf instead
>
> http://www.openbsd.org/faq/pf/index.html
I whole heartedly with Nate on this! I spent a bunch of time looking
at firewall solutions a year or two back, and PF was by far the
easiest solution to
RedShift wrote:
> Have you got some figures to back that up? Everybody's saying OpenBSD's pf
> performance is superior, yet nobody has posted some proof.
Not sure myself, keep in mind that there are (at least) two different
ways to measure firewall performance - connections/second and
throughput.
On 12/20/09 16:22, Chan Chung Hang Christopher wrote:
> Les Mikesell wrote:
>> Timo Schoeler wrote:
What about NetBSD? I heard that NetBSD has the best network stack out
there. Maybe NetBSD with pf is the best choice?
>>> NetBSD is a very nice OS, I personally like it most (out of all BSD
Chan Chung Hang Christopher wrote:
> Les Mikesell wrote:
>> Timo Schoeler wrote:
What about NetBSD? I heard that NetBSD has the best network stack out
there. Maybe NetBSD with pf is the best choice?
>>> NetBSD is a very nice OS, I personally like it most (out of all BSDs out
>>> there); h
Chan Chung Hang Christopher wrote:
>
> That part about high-core speed for OpenBSD pf is definitely on. The
> multi-processor part...not too sure. Maybe with NUMA systems like what
> you get on AMD Opteron platforms.
>
Don't both iptables and pf bypass the filters for established TCP connection
What solution for gigabit firewall can you suggest? Witch OS and packet filter
is capable to atcheave hight performance and gigabit speeds?
>Les Mikesell wrote:
>> Timo Schoeler wrote:
What about NetBSD? I heard that NetBSD has the best network stack out
there. Maybe NetBSD with p
Peter Serwe wrote:
> I'll second damn near everything nate said, and hopefully add a tidbit or
> two.
>
> If you're new to BSD, you may want to consider the pfsense project in the
> aforementioned active-active configuration.
>
> It gives you a nice, intuitive gui to manage your failover firewall
sadas sadas wrote:
> The syntax is not a problem. The problem is in the performance. I suppose
> that if I configure OpenBSD to process the in/out packets only to layer 2 the
> performance will be much more than linux with iptables.
>
You know SQUAT about filtering on Linux. You want a bridg
Les Mikesell wrote:
> Timo Schoeler wrote:
>>> What about NetBSD? I heard that NetBSD has the best network stack out
>>> there. Maybe NetBSD with pf is the best choice?
>> NetBSD is a very nice OS, I personally like it most (out of all BSDs out
>> there); however, as can be read on
>>
>> http://www
I'd argue handling it at the layer 3 level to be preferable than splitting
every customer into their own vlan.
If you split into vlans like that, if you have single-box customers, you'll
have to have subnet boundaries for every /30...
OTOH, vlan isolation for customers is pretty much the norm, as
Peter Serwe wrote:
> So basically, you're saying you'd want to allow or disallow traffic
> based on mac address? Seems like you could put mac filters on a number
> switches, Cisco being the most easily documented by Mr. Google.
>
> Be a lot faster than any kernel, and a total waste of BSD. If
So basically, you're saying you'd want to allow or disallow traffic based on
mac address? Seems like you could put mac filters on a number switches,
Cisco being the most easily documented by Mr. Google.
Be a lot faster than any kernel, and a total waste of BSD. If you can do it
on Linux via some
The syntax is not a problem. The problem is in the performance. I suppose that
if I configure OpenBSD to process the in/out packets only to layer 2 the
performance will be much more than linux with iptables.
>> I don't know jack about IPSet, but I know enabling or disabling hosts in
>>
On Friday 18 December 2009 16:05, Peter Serwe wrote:
> I don't know jack about IPSet, but I know enabling or disabling hosts in
> bare stock PF without the gui in front of it is about as easy as it gets.
IPTALES is the same;
iptables -A [INPUT/FORWARD] -d -j [REJECT/DROP]
> The PF configura
On 12/18/2009 4:12 PM, Peter Serwe wrote:
> You can't patch the Berkeley Packet Filter into Linux. Linux kernel
> doesn't support it.
>
> and...
>
> Despite a cacophonous chorus of replies directing you to the right tool
> for the job, you insist on sticking with Linux.
>
> If you want to
sadas sadas wrote:
>
> after quick search in google:
>
> http://postfactum.pl.ua/pf/
>
> I will test to patch latest linux kernel with pf.
> What do you thing?
Don't know, my first bet would be to try Debian/BSD and see
if ipf is in there, it's not officially released yet but it
will be in the nex
On 12/18/2009 10:12 PM, Peter Serwe wrote:
> You can't patch the Berkeley Packet Filter into Linux. Linux kernel doesn't
> support it.
>
> and...
>
> Despite a cacophonous chorus of replies directing you to the right tool for
> the job, you insist on sticking with Linux.
>
> If you want to use
On 12/18/2009 10:05 PM, Peter Serwe wrote:
> I don't know jack about IPSet, but I know enabling or disabling hosts in
> bare stock PF without the gui in front of it is about as easy as it gets.
>
> The PF configuration file syntax was designed from the ground up to be sane,
> unlike iptables, whic
You can't patch the Berkeley Packet Filter into Linux. Linux kernel doesn't
support it.
and...
Despite a cacophonous chorus of replies directing you to the right tool for
the job, you insist on sticking with Linux.
If you want to use the wrong tool for the job, by all means, use
ipset/iptables
Timo Schoeler wrote:
>> What about NetBSD? I heard that NetBSD has the best network stack out
>> there. Maybe NetBSD with pf is the best choice?
>
> NetBSD is a very nice OS, I personally like it most (out of all BSDs out
> there); however, as can be read on
>
> http://www.netbsd.org/docs/network
I don't know jack about IPSet, but I know enabling or disabling hosts in
bare stock PF without the gui in front of it is about as easy as it gets.
The PF configuration file syntax was designed from the ground up to be sane,
unlike iptables, which typically needs some decent sysadmin scripting or
u
>> after quick search in google:
>>
>> http://postfactum.pl.ua/pf/
>>
>> I will test to patch latest linux kernel with pf.
Hey! Wait: "The name of this patchset is not connected with BSD Packet
Filter. «pf» means «post-factum» in the short form."
>> What do you thing?
>
> Get OpenBSD. Honestly --
> What about NetBSD? I heard that NetBSD has the best network stack out
> there. Maybe NetBSD with pf is the best choice?
NetBSD is a very nice OS, I personally like it most (out of all BSDs out
there); however, as can be read on
http://www.netbsd.org/docs/network/pf.html
there's the 'usual lag'
What about NetBSD? I heard that NetBSD has the best network stack out there.
Maybe NetBSD with pf is the best choice?
>>> I can't find information is there linux or BSD distribution with
effective
>>> firewall that uses optimized algorithm to store hundreds of IPs and to
>>> forward huge
> after quick search in google:
>
> http://postfactum.pl.ua/pf/
>
> I will test to patch latest linux kernel with pf.
> What do you thing?
Get OpenBSD. Honestly -- all the porting stuff of relatively
kernel-close stuff is just braindead.
Timo
> >sadas sadas wrote:
> >
> >> I can't find info
>> I can't find information is there linux or BSD distribution with effective
>> firewall that uses optimized algorithm to store hundreds of IPs and to
>> forward huge traffic. Any idea?
>
> Hundreds?
>
> http://www.openbsd.org/faq/pf/tables.html
>
> "A table is used to hold a group of IPv4 and/
after quick search in google:
http://postfactum.pl.ua/pf/
I will test to patch latest linux kernel with pf.
What do you thing?
>sadas sadas wrote:
>
>> I can't find information is there linux or BSD distribution with effective
>> firewall that uses optimized algorithm to store hundreds of
sadas sadas wrote:
> I can't find information is there linux or BSD distribution with effective
> firewall that uses optimized algorithm to store hundreds of IPs and to
> forward huge traffic. Any idea?
Hundreds?
http://www.openbsd.org/faq/pf/tables.html
"A table is used to hold a group of IPv4
On Fri, Dec 18, 2009 at 2:36 PM, sadas sadas wrote:
> I can't find information is there linux or BSD distribution with effective
> firewall that uses optimized algorithm to store hundreds of IPs and to
> forward huge traffic. Any idea?
I think you'll find that this kind of thing can be handled by
I will explain more deeply. I need to deploy a firewall(s) in front of web
server farm because I need to do billing - I will use CentOS with iptables +
ipset to store a list if my clients so when client doesn't pay his server's IP
is out of the list and he can't access the web server.
Second -
I'll second damn near everything nate said, and hopefully add a tidbit or
two.
If you're new to BSD, you may want to consider the pfsense project in the
aforementioned active-active configuration.
It gives you a nice, intuitive gui to manage your failover firewalls, if you
insist on putting a fir
sadas sadas wrote:
>
> Hi,
> I want to configure CentOS on powerful server with gigabit
> adapters as transparent bridge and deploy it in front of server farm.
> Can you tell how to optimize the OS for hight packet processing? What
> configurations I need to do to achieve very hight speeds and tho
Hi,
I want to configure CentOS on powerful server with gigabit
adapters as transparent bridge and deploy it in front of server farm.
Can you tell how to optimize the OS for hight packet processing? What
configurations I need to do to achieve very hight speeds and thousands of
packets?__
50 matches
Mail list logo