Re: Firewall performance querry

[Chris Brenton <cbrenton@chrisbrenton.org>]

Pradeep Bhomia wrote:
> 
>  Before moving ahead I want to know what will be the load on the
> firewall. The configuration of firewall box is P4, ~1.8GHz, 256MB RAM, 
> Mandrake Linux 9.1, IPTables 1.2.7 and Shorewall 1.3.14. I will be having 
> aroung 300-400 concurrent users.

You didn't mention link speed. Really it comes down to concurrent 
sessions rather than total users that defines the amount of throughput 
you need. Knowing the link speed will help you figure out if the 
performance gate will be the firewall or the link.

With that said, I've pushed as much as 300 Mb though a similar box (1.2 
GHz w/512 MB RAM) and its worked great, ***provided*** you are not 
trying to log too much of the traffic. If you do, the log entries start 
getting truncated with only partial information getting recorded, and 
latency across the firewall starts to climb drastically. With this in 
mind, hardware with good disk and bus I/O becomes more important than 
CPU. I've found that Compaq/HP Proliant boxes outfitted with RAID seems 
to do the best job in keeping up, your mileage may vary.

<soapbox>
I *think* part of the reason why this is a problem is that iptables 
records more information about passing packets than any other packet 
filtering firewall (this is one of its strengths in my book). Recording 
more info means more of a performance hit. It would be nice if '-j LOG' 
supported a '--verbose' setting or something similar so the user could 
choose between detailed info like it products now, and minimal info more 
in lines with commercial products. That way you could at least be 
logging something at high speeds rather than nothing at all.
</soapbox>

> I plan to setup NATting. Can anybody help me 
> in this regard. Whether NATting will be sufficient to take care about this 
> load or some other method can be used ( Total load on firewall will be some 
> 1000 email accounts on sendmail server and around 400 clients for web 
> browsing).

SMTP is not too bad as its pretty efficient. HTTP is the one that kills 
you as it spawns a unique concurrent session for every object on a web 
page you try to view. For example a user visiting www.netfilter.org 
generates 6 unique sessions to view the homepage. Microsoft's homepage 
is 10 sessions, Security Focus is 70, you get the idea.

Max concurrent sessions on iptables is around 16K, but you can tweak 
this up if needed. Again, keep an eye on how much logging you are doing 
and life should be cool.

HTH,
C