RE: Build firewall with millions pps support

André Paulsberg-Csibi (IBM Consultant) <Andre.Paulsberg-Csibi@xxxxxxxx> · Wed, 27 Apr 2016 08:11:35 +0000

1. "We" us Linux , I do not see anything bad about using BSD either
2. the " Intel Corporation 82598EB 10-Gigabit AF Dual Port Network Connection (rev 01)" ,
   "we" use 2 of these in each FW with LACP bonding giving 2 x 20Gbps
3. For this one I have no 100% answer , but our firewall is running full stateful mode with IPS and uses its own kernel module .
4. I guess that depends more on your logging level ,
   But "we" use Intel(R) Xeon(R) CPU E5645  @ 2.40GHz and RAID 1 setup for storing the local logs .

Our usage may be different then what yours will be ( or planned to be ),
but the FW can handle 1M pps depending on the number of "session" setups .
So if the traffic is mostly DNS ( UDP 53 ) packets it may have lower throughput

MVH André Paulsberg-Csibi

-----Original Message-----
From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Satish Patel
Sent: 27. april 2016 05:20
To: netfilter@xxxxxxxxxxxxxxx
Subject: Build firewall with millions pps support

Planning to build stateless firewall which support 10GE link with
handling 2 million packet per second, need following suggestion from
folks

1. Which OS i should use?  (BSD or Linux?)
2. what type of 10GE NIC i should pick to achieve high Mpps (multiqueue etc.)
3. what should i use for bypass kernel (I heard from googling people
saying use this technique).
4. what kind of server i should pick?

We are build this firewall to stop bad traffic at front door and DDoS
(specially flooding and UDP IP Fragmentation stype)
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
��.n��������+%������w��{.n����z��׫�)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥