[Cc'ing netfilter list, since that is the right place for this kind of question] On Sun, Jul 25, 2004 at 08:56:12PM +0100, Scott Switzer wrote: > My company serves thousands of small HTTP requests per second (roughly > 3000 connections per second with a max of 10k request size - 50Mbps > bandwidth), and we have just maxed out our Netscreen 204 (128,000 > simultanious sessions). The next level of Netscreen is roughly $50K, > and I received advice to use either iptables or pf rather than a > proprietary firewall. Since our requirements regarding the complexity > of a firewall (outside of throughput) are reletively small (no complex > rule sets), I am willing to look at this option. > > In short: > Can iptables manage this kind of load? sure! > What are the hardware resources that are needed for this? I have a AMD > 2.2Ghz Opteron with 2Gb memory which could be used for this task. It > this sufficient? I would say it's way more than sufficient ;) I've been doing firewall benchmarking at multiple gigabit speeds on dual opteron boxes ;)... with a single opteron you should be able to do at least 250.000 packets per second, even without any tuning and a very suboptimal ruleset. > What kernel would you recommend for this? 2.6.7 > Cheers, > Scott Switzer -- - Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
signature.asc
Description: Digital signature
