Hi Thomas, On my internal firewall, I usually see about 10k to 15k connections so is it rasonable to start thinking on managing about 30k to 45k connections?, it seems a horrible number to me!!! El Martes, 2 de Noviembre de 2004 16:49, escribió: > Clist wrote: > > >Hi all, > > > >I need to study a solution based on iptables for a large number of networked hosts. > >It will be used as a central wategay for the networks we have at University of Alcalá. > > > >We need to perform a large numer of NAT (above 3000 host or so) for the internal networks and filtering for > >several ranges of public addresses for web servers and things like that. > > > >Our main campus backbone is ATM based but we plan to deploy our solution on gigabit links attached to > >our routers because we think this setup will be more stable that managing ATM and lane connections at the firewall. > > > >Currently we have a setup for filtering access for our public web servers and networking services based on dual Pentium III at 800Ghz 1Gb RAM and kernel 2.4.2x > >customized over RedHat 7.3 but we have no idea of behavior of iptables connection tracking on managing large number of network clients. > > > >Anyone know benchmarking test results, or studies of netfilter performance carried by some people, > >that we can see in order to decide how much hardware resouces we need, best distributions for doing so > >or high performance projects base on netfilter/iptables? > > > > > Hi, > there are two points. > 1. The count of hosts ist not so important since an single host running > an p2p client can open thousands of connections while an Server or > pc-pool only open few connections > for DNS mail and http. > 2. The CPU Load and filtering directly depend how good you organize the > ruleset. Since you can use Selv defined rules you can huffmann structure > with weight of the packet count. wich is very cpu frindly. > > So it will be hard to compare wothout more information. > > Cu Thomas > -- ------------------------------------------------- Clister UAH -------------------------------------------------
