On Thu, 2011-09-01 at 10:12 -0700, ARUN CHAKRAPANI RAO wrote: > > Not sure where to ask this question. Please excuse me if it is the > wrong place. > I have started the ISP service and I am quite new in this process. > I am planning to provide the service totally with an open source > concept. Currently I am using around 350Mbps of traffic, but in the > coming months it will be bumped upto around a Gbps. Currently we are > seeing around 1200 to 1500 concurrent users. Once we start the Gbps > traffic we are expecting around 2 to 3000 concurrent users. > Currently i do not have any kind of a firewall, but I was thinking > whether Shorewall can used as a firewall. Can this software handle the > load or is this software only for a small residence, Please do give me > suggestion, your help is greatly appreciated. > If yes any idea what kind of hardware we are looking for to get this > implemented. >
I guess my first question would be "What would be the purpose of this firewall?". If you are operating an ISP service, you most probably don't want to restrict outgoing connectons from your subscribers to the internet. If you filter incoming connections from the internet to your subscribers, you are likely to break a lot of applications (BitTorrent comes to mind). So placing a firewall between your subscribers and the internet probably doesn't make a lot of sense. I would think that the only place where you would want a firewall is in front of the systems that you use to run the business itself (your web server, desktops, etc.). And that can be done with very modest hardware. One thing that I should clarify is that Shorewall itself is not really a firewall; it is rather a tool for configuring Netfilter, the packet filter built into the Linux kernel. So if you build a Linux-based firewall, its throughput capability is limited by Netfilter and the complexity of your ruleset, and not by the firewall configuration tool that you use. And ruleset complexity only affects the cost of connection establishment and not the cost of forwarding packets that are part of an existing connection. Hope this helps, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
