jose, processing acls is not afunction of how many but how deep thru the list before we get a match and how the firewall internals address usage of horse power - this is NOT bandwidth issue at all. acl building is an art that born out of a combination of 1. blocking known badstuff. 2. placing 'noisy' allowed protocols near top to not thrash. 3. blocking ALL un needed traffic EARLY in the acl. 4. pro-actively monitoring and profile bulding to fine-tune the acls. this is why i suggest that firewalls, routers, servers and clients be separated whenever finances and layer 8 of the OSI allow it. btw,,,,layer 8 relates to finance/marketing/politics, if one is hindered by this then they have my sympathies as this is usually what allows intruders access more than any other single componenet. ~piranha -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx]On Behalf Of Jose Maria Lopez Sent: Saturday, October 16, 2004 5:30 AM To: ads nat Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Upper limit of users for iptables firewall El vie, 15 de 10 de 2004 a las 07:47, ads nat escribiÃ: > hi, > I am having 512 Mbps bandwidth. Users are mainly > browsing Web and using email facility. I am using > squid for cache. I have about 10 % cache so i think > total upper bandwidth availability will be aroung 600 > Kbps. Bandwidthwise there is no problem. My worry is > if iptables processing for 400 users with various acl > s should not slow down firwall processing due to > hardware configuration. > Thanks for support. In my experience you should not have any problem to manage that number of users even if you have a huge number of rules with your machine. But you can always make some tests to see if the machine slows down, but I think it should be ok. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@xxxxxxxxx bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÃA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
