* netfilter under heavy load. @ 2003-01-05 15:40 Mike Olivere 2003-01-06 11:24 ` ITM CS Ruslan O. Nesterov 0 siblings, 1 reply; 3+ messages in thread From: Mike Olivere @ 2003-01-05 15:40 UTC (permalink / raw) To: netfilter Hello, I don't know if this has been brought up before but I am going to be running netfilter under load on a fractional T-3 (12Mbps). The box will have 3 interfaces eth0 going to the Cisco 7200, eth1 (routable IPs) going to the webfarm for DMZ zone, and then eth2 will be NATed with a private LAN IP (192.168.1.x). I will be NATing over 200 clients and I know in the past this could be a problem with IPCHAINS because it would either run out of memory or start dropping connections. The webservers get about 7,000 hits a day and they won't be NATed but will be filtered with a mix of statefule and packet filtering rules. We have a Cisco PIX 525(which is just a Intel P600/512MB RAM) in place right now but I would like to move to Netfilter as it will be running on a dual P1ghz and a gig of memory. Is this possible? can Nefilter scale to this and beyond? and is there any tweaks I should know about? Thanks in advance. Mike ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: netfilter under heavy load. 2003-01-05 15:40 netfilter under heavy load Mike Olivere @ 2003-01-06 11:24 ` ITM CS Ruslan O. Nesterov 2003-01-06 23:08 ` Chris Straessle 0 siblings, 1 reply; 3+ messages in thread From: ITM CS Ruslan O. Nesterov @ 2003-01-06 11:24 UTC (permalink / raw) To: netfilter-admin, Mike Olivere; +Cc: netfilter Hello Mike, Well actually it's not a big problem, I got 100 GB a day passing through our gateway to our clients, as far i didn't find any problems for webservers wich are not NATed, as for clients who are in DMZ zone i sometimes get connection error, but it's 1 in 1000 connections. I run a box with the following configuration: Single PIII-866 MHZ RAM: 256 NIC: 2 Intel Gigabit ethernet cards (as far as i remember). Befor it I used a Firebox firewall and it really drived me nuts. Due to low productivity. Sunday, January 5, 2003, 6:40:15 PM, you wrote: MO> Hello, I don't know if this has been brought up before but I am going to be MO> running netfilter under load on a fractional T-3 (12Mbps). The box will have MO> 3 interfaces eth0 going to the Cisco 7200, eth1 (routable IPs) going to the MO> webfarm for DMZ zone, and then eth2 will be NATed with a private LAN IP MO> (192.168.1.x). I will be NATing over 200 clients and I know in the past this MO> could be a problem with IPCHAINS because it would either run out of memory MO> or start dropping connections. The webservers get about 7,000 hits a day and MO> they won't be NATed but will be filtered with a mix of statefule and packet MO> filtering rules. We have a Cisco PIX 525(which is just a Intel P600/512MB MO> RAM) in place right now but I would like to move to Netfilter as it will be MO> running on a dual P1ghz and a gig of memory. Is this possible? can Nefilter MO> scale to this and beyond? and is there any tweaks I should know about? MO> Thanks in advance. MO> Mike -- Best regards, ITM mailto:ruslan@complexsystem.ru ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: netfilter under heavy load. 2003-01-06 11:24 ` ITM CS Ruslan O. Nesterov @ 2003-01-06 23:08 ` Chris Straessle 0 siblings, 0 replies; 3+ messages in thread From: Chris Straessle @ 2003-01-06 23:08 UTC (permalink / raw) To: ITM CS Ruslan O. Nesterov, Mike Olivere; +Cc: netfilter-admin, netfilter Hello, my company has tested several firewalls under high network load. The importest thing is the L2 cache size from the cpu. check this pdf, it has the information you need. :-) http://www.terreactive.com/fcgi/fcgi/home/archive/pdf/pf-speed-test.pdf bye, chris ps: sorry for my bad english... its not my language. ITM CS Ruslan O. Nesterov wrote: > Hello Mike, > Well actually it's not a big problem, I got 100 GB a day passing > through our gateway to our clients, as far i didn't find any > problems for webservers wich are not NATed, as for clients who are > in DMZ zone i sometimes get connection error, but it's 1 in 1000 > connections. I run a box with the following configuration: > Single PIII-866 MHZ > RAM: 256 > NIC: 2 Intel Gigabit ethernet cards (as far as i remember). > Befor it I used a Firebox firewall and it really drived me nuts. > Due to low productivity. > > Sunday, January 5, 2003, 6:40:15 PM, you wrote: > > MO> Hello, I don't know if this has been brought up before but I am going to be > MO> running netfilter under load on a fractional T-3 (12Mbps). The box will have > MO> 3 interfaces eth0 going to the Cisco 7200, eth1 (routable IPs) going to the > MO> webfarm for DMZ zone, and then eth2 will be NATed with a private LAN IP > MO> (192.168.1.x). I will be NATing over 200 clients and I know in the past this > MO> could be a problem with IPCHAINS because it would either run out of memory > MO> or start dropping connections. The webservers get about 7,000 hits a day and > MO> they won't be NATed but will be filtered with a mix of statefule and packet > MO> filtering rules. We have a Cisco PIX 525(which is just a Intel P600/512MB > MO> RAM) in place right now but I would like to move to Netfilter as it will be > MO> running on a dual P1ghz and a gig of memory. Is this possible? can Nefilter > MO> scale to this and beyond? and is there any tweaks I should know about? > > MO> Thanks in advance. > > MO> Mike > > > -- ----------------------------------------------------------------------- Chris Straessle http://raptor.homeunix.net/ Alias: sacrelege email: sacrelege@swissonline.ch ----------------------------------------------------------------------- ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-01-06 23:08 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2003-01-05 15:40 netfilter under heavy load Mike Olivere 2003-01-06 11:24 ` ITM CS Ruslan O. Nesterov 2003-01-06 23:08 ` Chris Straessle
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox