Re: How fast can Linux-Firewalls be?
On Sat, 23 Feb 2002 15:10, Peter Billson wrote:
> Jorge.Lehner@gmx.net wrote:
> > What minimum characteristics would a Linux IP Masquerading Firewall
> > Box need, to run a 100 Mbps link without slowing down traffic.
> There was some discussion last January (2001) about this type of
> thing. The problem you will run into if you are using POTS Intel
> hardware is the PCI bus speed, so you are going to have a tough time
A 33MHz 32bit PCI bus can do 133MB/s in burst mode, a 66MHz bus allows
267MB/s, and a 66MHz 64bit bus (I've never seen a 64bit PCI network card so
this is academic) can do up to 533MB/s.
> filling one 100Mbs connection with an old Pentium - assuming an old
> 66Mhz PCI bus. You can forget about filling two or more. Also, cheap
No. Saturating a 100baseT (10MB/s) network link on an old Pentium is not a
> NICs will do more to kill your max. throughput.
Cheap NICs are unreliable, sometimes need to be reset to recover from
hardware glitches (causing an interruption to traffic), and use more CPU
time. If you have a sufficiently fast CPU and a small number of network
cards then you'll probably get the same wire speed from cheap and expensive
cards (apart from when the cheap card needs to be reset).
If you want 6 network cards in a machine then you should get something half
decent (clone Tulip card for example).
> That being said, I run old Pentium 133s with 64Mb RAM in several
> applications as routers and can notice no network latency on a 100BaseT
> network, but I have never benchmarked the machines. Usually the
My experience is that latency is noticable, but throughput remains the same.
Compare pinging a P-133 vs pinging a 1.4GHz Athlon. You'll see a ping time
difference, but you won't expect to see any real performance difference when
routing through a couple of 100baseT network cards.
But for firewalling the real issue is the number of firewall rules that have
to be traversed. If each packet has to be checked against 1000 rules then
even the newest Athlon machine may have problems. Have only 2 or 3 rules
needed for most traffic and a Pentium will do the job.
Make sure you order your rules so that the first rules traversed will be the
most common ACCEPT rules.
Signatures >4 lines are rude. If you send email to me or to a mailing list
that I am subscribed to which has >4 lines of legalistic junk at the end
then you are specifically authorizing me to do whatever I wish with the
message (the sig won't be read).