Re: iptables on multiple CPUs (SMP & Hyperthreading question)

[Sertys <sertys@supportivo.org>]

On Thu, 02 Jun 2005 21:15:23 -0500, /dev/rob0 <rob0@gmx.co.uk> wrote:

> Michael Buffer wrote:
>> I'm considering purchasing some firewall machines for my organization,  
>> and
>> I am trying to decide whether a machine with multiple CPUs is worth the
>> additional expense performance-wise (aside from being able to assign  
>> CPUs
>
> ??? I cannot believe this is even under consideration. Just how big is  
> your organisation?
>
> I run iptables firewalls on very modest machines, with single and dual  
> T1 lines, and there is never any CPU load from the packet filtering nor  
> the NAT. I don't have any really large sites, but I strongly suspect  
> that iptables firewalling of very large sites could easily be handled by  
> dumpster-grade equipment.
>
> Of course with a budget like yours you'll want something new, which is  
> better (we hope) for the physical reliability of the machine. A fast CPU  
>   is useful for a fast boot time to minimise down time in the event of  
> problems. Otherwise, a waste.
>
> Listen, I ran my home cable, with multiple simultaneous large downloads  
> and 3-4 busy Web browsers on a 386. It never broke a sweat. This of  
> course used ISA 10Mbit NIC's. It could have handled many times the load  
> without problem.
>
> Why did I decommision it? Electricity. I only had so many outlets, and I  
> needed a machine to perform more complex tasks, so the firewall job got  
> handed off to another machine, and the 386 was retired. Still here in  
> case I need it again.
>
> I need a new computer ATM. How about I build a firewall machine for you,  
> and you send me that SMP super machine? ;)

This of course seems to me like a stupendous statement. OK? If your  
firewall is hit by 3000 packets per minute - that's not a great load  
issue. But imagine you have 30000 clients you need to NAT and route.  
That's awful lotta power and you don't have to underestimate the chance of  
you CPU not handling them. I've seen such situations in many ISP's.Their  
routers(x86) just can't handle the traffic. And the dude one step before  
in the thread asked you the right question anyway : Just how big is your  
organisation? Measure your traffic! If it is less than 200-300 mbit/s you  
should not be worrying. If it's more and you have some intense  
services(IDS's , slow-rule traversal,because of many rules,multiple  
servers on each machine), that's when you shall invest your $$$ in BIGGER  
machines. Indeed linux handles SMP almost perfectly, same for HT, but both  
of them is not a good idea(2x2 Xeons for example), because of the  
inconvinience of the posix threading model and the lack of specialized  
support for this type of process queuing.

-- 
www.supportivo.org

I can't stop myself checking for pigs in the outlets. Everybody thinks i'm  
a punk, cause of the hairstyle(220V).
end