Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. iptables>
  3. User
Linux enterprize firewall
danielf at supportteam
Aug 6, 2001, 3:29 AM
Post #1 of 4 (677 views)
Permalink
I need some help here has anyone setup a linux fire wall with duel Gig NICs
in it. For some reason It was only allowing 12Mbs accross the friwall I had
the firewall set to accept and forward all traffic and to deny nothing.

I had the routes set correctly traffic was crawling accross the machine.

TIA for any help or insite anyone can provide.


--
Advanced Hosting UNIX Admin | Daniel Fairchild danielf@supportteam.net
To rate my service or provide feedback, please visit the following URL:
http://www.supportteam.net/rate.php3

Unix is like a wigwam -- no Gates, no Windows, and an Apache inside.
Re: Linux enterprize firewall [ In reply to ]
sandy at storm
Aug 7, 2001, 8:33 PM
Post #2 of 4 (673 views)
Permalink
Advanced Hosting UNIX Admin Daniel Fairchild wrote:
>
> I need some help here has anyone setup a linux fire wall with duel Gig NICs
> in it. For some reason It was only allowing 12Mbs accross the friwall I had
> the firewall set to accept and forward all traffic and to deny nothing.

An NAI paper exploring authentication overheads on fast networks
http://www.pgp.com/research/nailabs/cryptographic/adaptive-cryptographic.asp
gives some data that might be relevant.

Pentium II cycles per byte processed:

Linux IP stack alone: 5
doing IPsec but no crypto: 11

Presumably if you're doing IP twice, once in and once out, you need 10
cycles per byte just for that. To get gigabit throughput, you need 10/8
of a gigahertz just for that. That is, you need roughly a 1.3 GHz box
just to handle the traffic without any firewalling.

There was a good paper at last year's Ottawa Symposium on doing it
faster than that, though:
http://www.linuxsymposium.org/2000/routing.php

I've no real idea how expensive netfilter processing is. If it is about
as expensive as IP processing, then you appear to need at least a 2.6
GHz box to get gigabit throughput.

If it is much more expensive than that, as it almost certainly would be
with a highly complex set of firewall rules, you would appear to have
a really hard problem facing you.

This may be a situation where Linux on standard hardware cannot cut it.
Time to dig out a chequebook and the phone number for your Cisco rep?
Re: Linux enterprize firewall [ In reply to ]
wcooley at nakedape
Aug 7, 2001, 10:27 PM
Post #3 of 4 (665 views)
Permalink
Thus spake Sandy Harris:
>
> There was a good paper at last year's Ottawa Symposium on doing it
> faster than that, though:
> http://www.linuxsymposium.org/2000/routing.php
>

There doesn't actually seem to be a paper here, only a description of
it. Is it on-line somewhere?

Wil
--
W. Reilly Cooley wcooley@nakedape.cc
Naked Ape Consulting http://nakedape.cc
LNXS: Get 0.2.0-devel at http://sourceforge.net/projects/lnxs/
irc.openprojects.net #lnxs

Faith may be defined briefly as an illogical belief in the occurence of the
improbable.
- H. L. Mencken
RE: Linux enterprize firewall [ In reply to ]
Filip.Sneppe at cronos
Aug 7, 2001, 10:47 PM
Post #4 of 4 (668 views)
Permalink
Wil Cooley [SMTP:wcooley@nakedape.cc] wrote:
>Thus spake Sandy Harris:
>>
>> There was a good paper at last year's Ottawa Symposium on doing it
>> faster than that, though:
>> http://www.linuxsymposium.org/2000/routing.php
>>
>
>There doesn't actually seem to be a paper here, only a description of
>it. Is it on-line somewhere?

A quick google search turned this up:

http://lwn.net/2000/0928/a/fast-forwarding.php3

with a link to:

http://robur.slu.se/Linux/net-development/jamal/FF-html/

There are also mp3s from the Linux 2000 Symposium on:

http://www.linuxsymposium.org/audio.php

Regards,
Filip

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal