[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How fast can Linux-Firewalls be?



On Sat, 23 Feb 2002 15:10, Peter Billson wrote:
> Jorge.Lehner@gmx.net wrote:
> > What minimum characteristics would a Linux IP Masquerading Firewall
> > Box need, to run a 100 Mbps link without slowing down traffic.
>
>   There was some discussion last January (2001) about this type of
> thing. The problem you will run into if you are using POTS Intel
> hardware is the PCI bus speed, so you are going to have a tough time

A 33MHz 32bit PCI bus can do 133MB/s in burst mode, a 66MHz bus allows 
267MB/s, and a 66MHz 64bit bus (I've never seen a 64bit PCI network card so 
this is academic) can do up to 533MB/s.

> filling one 100Mbs connection with an old Pentium - assuming an old
> 66Mhz PCI bus. You can forget about filling two or more. Also, cheap

No.  Saturating a 100baseT (10MB/s) network link on an old Pentium is not a 
challenge.

> NICs will do more to kill your max. throughput.

Cheap NICs are unreliable, sometimes need to be reset to recover from 
hardware glitches (causing an interruption to traffic), and use more CPU 
time.  If you have a sufficiently fast CPU and a small number of network 
cards then you'll probably get the same wire speed from cheap and expensive 
cards (apart from when the cheap card needs to be reset).

If you want 6 network cards in a machine then you should get something half 
decent (clone Tulip card for example).

>   That being said, I run old Pentium 133s with 64Mb RAM in several
> applications as routers and can notice no network latency on a 100BaseT
> network, but I have never benchmarked the machines. Usually the

My experience is that latency is noticable, but throughput remains the same.  
Compare pinging a P-133 vs pinging a 1.4GHz Athlon.  You'll see a ping time 
difference, but you won't expect to see any real performance difference when 
routing through a couple of 100baseT network cards.

But for firewalling the real issue is the number of firewall rules that have 
to be traversed.  If each packet has to be checked against 1000 rules then 
even the newest Athlon machine may have problems.  Have only 2 or 3 rules 
needed for most traffic and a Pentium will do the job.

Make sure you order your rules so that the first rules traversed will be the 
most common ACCEPT rules.

-- 
Signatures >4 lines are rude.  If you send email to me or to a mailing list
that I am subscribed to which has >4 lines of legalistic junk at the end
then you are specifically authorizing me to do whatever I wish with the
message (the sig won't be read).



Reply to: