On Thu, 02 Jun 2005 21:15:23 -0500, /dev/rob0 <rob0@xxxxxxxxx> wrote:
Michael Buffer wrote:
I'm considering purchasing some firewall machines for my organization,
and
I am trying to decide whether a machine with multiple CPUs is worth the
additional expense performance-wise (aside from being able to assign
CPUs
??? I cannot believe this is even under consideration. Just how big is
your organisation?
I run iptables firewalls on very modest machines, with single and dual
T1 lines, and there is never any CPU load from the packet filtering nor
the NAT. I don't have any really large sites, but I strongly suspect
that iptables firewalling of very large sites could easily be handled by
dumpster-grade equipment.
Of course with a budget like yours you'll want something new, which is
better (we hope) for the physical reliability of the machine. A fast CPU
is useful for a fast boot time to minimise down time in the event of
problems. Otherwise, a waste.
Listen, I ran my home cable, with multiple simultaneous large downloads
and 3-4 busy Web browsers on a 386. It never broke a sweat. This of
course used ISA 10Mbit NIC's. It could have handled many times the load
without problem.
Why did I decommision it? Electricity. I only had so many outlets, and I
needed a machine to perform more complex tasks, so the firewall job got
handed off to another machine, and the 386 was retired. Still here in
case I need it again.
I need a new computer ATM. How about I build a firewall machine for you,
and you send me that SMP super machine? ;)
This of course seems to me like a stupendous statement. OK? If your
firewall is hit by 3000 packets per minute - that's not a great load
issue. But imagine you have 30000 clients you need to NAT and route.
That's awful lotta power and you don't have to underestimate the chance of
you CPU not handling them. I've seen such situations in many ISP's.Their
routers(x86) just can't handle the traffic. And the dude one step before
in the thread asked you the right question anyway : Just how big is your
organisation? Measure your traffic! If it is less than 200-300 mbit/s you
should not be worrying. If it's more and you have some intense
services(IDS's , slow-rule traversal,because of many rules,multiple
servers on each machine), that's when you shall invest your $$$ in BIGGER
machines. Indeed linux handles SMP almost perfectly, same for HT, but both
of them is not a good idea(2x2 Xeons for example), because of the
inconvinience of the posix threading model and the lack of specialized
support for this type of process queuing.
--
www.supportivo.org
I can't stop myself checking for pigs in the outlets. Everybody thinks i'm
a punk, cause of the hairstyle(220V).
end
