[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CPU for firewall machine?

John Ackermann wrote:
> In message <20000810134055.A27518@tolkien.emyr.net>, Luca Filipozzi writes:
> >On Thu, Aug 10, 2000 at 04:35:36PM -0300, John Ackermann wrote:
> >[snip description of firewall with three interfaces]
> >> I have a nice small box with a 486DX4/100 in it, and am wondering if that's
> >> sufficient horsepower for this sort of application, or whether I should be
> >> looking at a Pentium.
> >
> >A 486DX4/100 is plenty for this application. I use a 486SX/25 to firewall
> >my house from my ADSL connection. It masq's and port forwards just fine.
> >
> >[snip stuff about 100Mbps vs 10Mbps]
> >> Will there be a significant impact
> >> if the servers have to switch to 10MB mode to talk with the firewall (the
> >> internal network is all 10MB, so there's no issue on that side).
> >
> >Well, since your net connection isn't 10Mbps, I don't think it's
> >a problem for you DMZ boxen to be limited to 10Mbps.
> Thanks for the *very* quick response, Luca!  My concern about the NIC speed
> is not for the 'net traffic (which is way slow) but rather the traffic
> passing from the internal network through the firewall to the DMZ machines
> -- at times, there may be quite a bit of it (for example, I will probably
> be backing up the servers to a tape drive on the private network).  Of course,
> the bottleneck is still the 10MB speed on the internal network side, so
> it probably doesn't make any difference...

I would have some concern about full speed 10MB routing on a 486, but
every time I've checked `top` or similar during heavy routing the CPU
has been loafing. Is `top` a good indicator of this, or is it only
tracking non-kernel processes?

Perhaps some benchmarking would be in order? Transfer some huge file
within the DMZ, then across the firewall.


Paul Reavis                                      preavis@partnersoft.com
Design Lead
Partner Software, Inc.                        http://www.partnersoft.com

Reply to: