thus Pasi Kärkkäinen spake:
> On Fri, Dec 18, 2009 at 09:36:57PM +0200, sadas sadas wrote:
>> I will explain more deeply. I need to deploy a firewall(s) in front of web
>> server farm because I need to do billing - I will use CentOS with iptables
>> + ipset to store a list if my clients so when client doesn't pay his
>> server's IP is out of the list and he can't access the web server.
>>
>> Second - I know that iptables is very heavy and it's not recommended to
>> use it in gigabit firewall but I don't have a choice as far as I know only
>> ipset works with iptables. I don't know can pf store 500 IPs in one list.
>> Ipset is written for that purpose.
>>
>> I can't find information is there linux or BSD distribution with effective
>> firewall that uses optimized algorithm to store hundreds of IPs and to
>> forward huge traffic. Any idea?
>>
>
> I've been using Linux (CentOS5) on gigabit firewalls, for thousands of
> users. No problems.
Yeah, but what is your ruleset?
> Just make sure ip_conntrack_max is big enough, so you don't run out of
> connections.
Just three months ago I saw a CentOS L2TP cluster explode because of
this -- and the machines have _plenty_ of RAM each. Turned off
ip[6]tables entirely and let the Ciscos do this was the only solution.
> There are other things to tune to optimize the performance, but it's
> certainly doable with linux+iptables.
Nail, hammer, etc. ;)
> -- Pasi
Timo
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
