From: Thomas Jacob <jacob@internet24.de>
To: netfilter@lists.netfilter.org
Subject: Re: netfilter optimization.
Date: Sun, 26 Aug 2007 00:58:37 +0200 [thread overview]
Message-ID: <20070825225837.GA26251@internet24.de> (raw)
In-Reply-To: <57F9959B46E0FA4D8BA88AEDFBE5829024F4B9@pxtbenexd01.pxt.primeexalia.com>
[-- Attachment #1: Type: text/plain, Size: 1520 bytes --]
> So, this leads us to solving the connection pooling issue. We have two 1.8ghz machine with 512MB, one is the active firewall, the other one would be the failover. Each one has 4 nics, two onboard 100MB and a dual 1GB. Here is the config:
>
> eth0 -> INET (100MB)
> eth1 -> Private, heartbeat for linux-HA (100MB) -- Future implementation
> eth2 -> DMZ (1GB)
> eth3 -> Internal (1GB)
Unless you have a lot of traffic between the dmz and the internal network, and assuming
100MB means 100Mbps, and that you have some decent NICs (maybe with NAPI/interrupt
throttling, Intel's work nicely) you should probably be fine. We're running something similar
with about 400mbps peak traffic and a P4 3Ghz and it's maybe at 30-40% capacity in peak hours.
Good NICs, good buses (PCI-Express), high memory transfer rates & large
cache sizes all make a difference though.
Harald Welte gave a talk once about selecting hardware for netfilter firewalls,
the notes are available online, maybe it's helpful to you:
http://www.heinlein-support.de/upload/slac/network_performance.pdf
> Anyway, this is one of the reasons we are rebuilding the firewalls. The other reason being a spinlock but in that kernel version. So, we wanted to go with something fresher.
In kernel 2.4 there are some "nice" effects under various load levels and attacks, 2.6
kernels is much more robust there. We've added a packet rate limiter
(using hash limit) for good measure and since then never had any troubles
again....
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 191 bytes --]
next prev parent reply other threads:[~2007-08-25 22:58 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-25 17:38 netfilter optimization Gary W. Smith
2007-08-25 17:57 ` Leonardo Rodrigues Magalhães
2007-08-25 18:51 ` Gary W. Smith
2007-08-25 22:58 ` Thomas Jacob [this message]
2007-08-25 23:21 ` Thomas Jacob
2007-08-25 23:29 ` Gary W. Smith
2007-08-26 0:03 ` Gary W. Smith
2007-08-26 10:58 ` Thomas Jacob
2007-08-26 20:27 ` Gary W. Smith
2007-08-27 16:48 ` David Lang
2007-08-25 23:27 ` Gary W. Smith
[not found] <200708252302.l7PN2U2S011637@mail3.jubileegroup.co.uk>
2007-08-26 7:38 ` G.W. Haywood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070825225837.GA26251@internet24.de \
--to=jacob@internet24.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox