Re: Is Linux based Gateway/Firewall feasible

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 8 Jul 2004, Sudheer Divakaran wrote:

> Hi,
> 
> I've a local LAN consisting of about 150 machines.  I'm using a machine 
> with Linux + IPTables  as the gateway machine which inturn connects to 
> two different ISPs.  My question is can a Linux based machine match the 
> performance of a hardware based routers provided by Cisco,... OR is my 
> decision to go for a Linux based solution is a wrong one?.
> 
> Is there so much difference between these two solutions?
> 
> Can I achieve the same performance using a high end PC and Linux?
> 
> I'm asking this because one guy told me that my decision to go for a 
> Linux based solution is a wrong one and it can never match the 
> performance of hardware based Routers.

iptables is not concerned with routing. If you're comparing 
a Cisco _routing_ solution with a linux-based one, this is the wrong
list I think. There are many things to consider: raw performances,
routing software (are you running EIGRP?) and so on, all off topic here.

Despite, ask that guy to show you a real 'hardware based router'.
That is, remove any software (IOS) from a Cisco piece of hardware
and see how it performs. Ciscos (but high end ones only) do have
specialized hardware, so you may refer to it as "hardware-assisted
routing", no more. But they're software-based routers, too.
Again, this is quite off topic.

iptables is about filtering, NATing, mangling IP packets (am I missing
anything?). Yeah, Ciscos can do that too. But, please correct me
if I'm wrong, I'm not aware of _any_ hardware that assists them in
that. So it's not hardware-based filtering anyway. It's all in software.

The following rule:

iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

which may make sense in simple setups, takes _global_ decisions,
hardly it can be "distributed" to interface processors (think of
packets belonging to the same flow that may arrive from two different
interfaces).

In the end, the right question is: how do iptables compare to IOS
access-lists? I'll leave the comparison to others. All I know is
that there's no UNIX shell running on a Cisco. There's no UNIX-like
environment. Put two lines in crontab, and have them invoke a script
that sets iptables up, passing it a parameter (night/day), in order
to implement less permissive rules at night and during weekends.
Now do the same with a Cisco. You get the idea.

.TM.
-- 
      ____/  ____/   /
     /      /       /			Marco Colombo
    ___/  ___  /   /		      Technical Manager
   /          /   /			 ESI s.r.l.
 _____/ _____/  _/		       Colombo@xxxxxx
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux