Re: Is Linux based Gateway/Firewall feasible

[Sudheer Divakaran <sudheer@svw.com>]

Hi,
    If I'have mislead anyone, I'm Sorry.  I was talking about NATing.

Thanks,
Sudheer



Marco Colombo wrote:

>On Thu, 8 Jul 2004, Sudheer Divakaran wrote:
>
>  
>
>>Hi,
>>
>>I've a local LAN consisting of about 150 machines.  I'm using a machine 
>>with Linux + IPTables  as the gateway machine which inturn connects to 
>>two different ISPs.  My question is can a Linux based machine match the 
>>performance of a hardware based routers provided by Cisco,... OR is my 
>>decision to go for a Linux based solution is a wrong one?.
>>
>>Is there so much difference between these two solutions?
>>
>>Can I achieve the same performance using a high end PC and Linux?
>>
>>I'm asking this because one guy told me that my decision to go for a 
>>Linux based solution is a wrong one and it can never match the 
>>performance of hardware based Routers.
>>    
>>
>
>iptables is not concerned with routing. If you're comparing 
>a Cisco _routing_ solution with a linux-based one, this is the wrong
>list I think. There are many things to consider: raw performances,
>routing software (are you running EIGRP?) and so on, all off topic here.
>
>Despite, ask that guy to show you a real 'hardware based router'.
>That is, remove any software (IOS) from a Cisco piece of hardware
>and see how it performs. Ciscos (but high end ones only) do have
>specialized hardware, so you may refer to it as "hardware-assisted
>routing", no more. But they're software-based routers, too.
>Again, this is quite off topic.
>
>iptables is about filtering, NATing, mangling IP packets (am I missing
>anything?). Yeah, Ciscos can do that too. But, please correct me
>if I'm wrong, I'm not aware of _any_ hardware that assists them in
>that. So it's not hardware-based filtering anyway. It's all in software.
>
>The following rule:
>
>iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>which may make sense in simple setups, takes _global_ decisions,
>hardly it can be "distributed" to interface processors (think of
>packets belonging to the same flow that may arrive from two different
>interfaces).
>
>In the end, the right question is: how do iptables compare to IOS
>access-lists? I'll leave the comparison to others. All I know is
>that there's no UNIX shell running on a Cisco. There's no UNIX-like
>environment. Put two lines in crontab, and have them invoke a script
>that sets iptables up, passing it a parameter (night/day), in order
>to implement less permissive rules at night and during weekends.
>Now do the same with a Cisco. You get the idea.
>
>.TM.
>  
>