[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CPU for firewall machine?

See below.

At 04:35 PM 8/10/00 -0300, John Ackermann wrote:
>I'm putting together a box to serve as a Linux firewall.  It will have
>three ethernet interfaces: one to an ISDN (soon, I hope, to be 384kb DSL)
>router, one to an internal network with a handful of PCs and one Linux
>box that serves as both my playtoy and a samba file server, and the third 
>to two or three web/mail/etc. servers that will be visible to the outside 
>world.  The traffic load on the network is generally going to be light, and
>of course the internet feed is at a very modest speed.  But, the firewall 
>will be doing ipmasq stuff for the private network, and there will be times 
>when a lot of data is moving between the DMZ servers and the internal network.
>I have a nice small box with a 486DX4/100 in it, and am wondering if that's 
>sufficient horsepower for this sort of application, or whether I should be 
>looking at a Pentium.

Your 486 is more than enough for the ISDN/DSL traffic. No contest there
(well, one ... if your DSL line ends up running over PPPoE, the RP driver
for PPPoE tends to burn CPU cycles).

For internal routing ... my own tests confirm the conventional wisdom that a
modest-speed 486 (a 486DX266 for sure, probably even a DX40) is plenty fast
enough for the 5 mpbs throuput that is the effective limit of 10 mbps Ethernet. 

If the system needs to run PPPoE for DSL *and* route internally at 5 mbps
... that you would need to test. Back-of-the-envelope calculations say it
will probably work, but I haven't actually seen that combination tested

>A second question arises from the fact that the DMZ network is all using 
>100MB ethernet cards, talking to each other through a speed-sensing,
>switching hub, and I suspect that I won't find an ISA bus 100MB ethernet 
>card for a price I'm willing to pay.  

Don't even try.

>Will there be a significant impact 
>if the servers have to switch to 10MB mode to talk with the firewall (the 
>internal network is all 10MB, so there's no issue on that side).

The answer should be "no" ... given that the connection eventually throttles
to 10 mbps anyway, on the private side of the router. But I haven't actually
tested this, so you might find someone else with actual experience will give
you better advice on this one.

------------------------------------"Never tell me the odds!"---
Ray Olszewski                                        -- Han Solo
Palo Alto, CA           	 	         ray@comarre.com        

Reply to: