> So, this leads us to solving the connection pooling issue. We have two 1.8ghz machine with 512MB, one is the active firewall, the other one would be the failover. Each one has 4 nics, two onboard 100MB and a dual 1GB. Here is the config: > > eth0 -> INET (100MB) > eth1 -> Private, heartbeat for linux-HA (100MB) -- Future implementation > eth2 -> DMZ (1GB) > eth3 -> Internal (1GB) Unless you have a lot of traffic between the dmz and the internal network, and assuming 100MB means 100Mbps, and that you have some decent NICs (maybe with NAPI/interrupt throttling, Intel's work nicely) you should probably be fine. We're running something similar with about 400mbps peak traffic and a P4 3Ghz and it's maybe at 30-40% capacity in peak hours. Good NICs, good buses (PCI-Express), high memory transfer rates & large cache sizes all make a difference though. Harald Welte gave a talk once about selecting hardware for netfilter firewalls, the notes are available online, maybe it's helpful to you: http://www.heinlein-support.de/upload/slac/network_performance.pdf > Anyway, this is one of the reasons we are rebuilding the firewalls. The other reason being a spinlock but in that kernel version. So, we wanted to go with something fresher. In kernel 2.4 there are some "nice" effects under various load levels and attacks, 2.6 kernels is much more robust there. We've added a packet rate limiter (using hash limit) for good measure and since then never had any troubles again....
Attachment:
signature.asc
Description: Digital signature
