[KLUG Members] A plea for firewall ideas

[Adam Bultman]

>
>If a slow Pentium 100-200 Mhz machine can firewall a full T1 without
>much noticeable increase in load average, then why can't a slightly
>faster machine firewall a much larger pipe?
>
>  
>
We currently have 900 MHz celerons with 256 MB RAM, and they completely 
choke at ~6mbit.

I think the usage of the firewall has to be closely defined; because I'm 
positive that the traffic at work could drop that box in a heartbeat.  
Heck, we get the 900 busy really busy.

Of course, what are we doing?

We do a lot of NAT, some SNAT, and have a handful of internal zones. We 
have ~20 ipsec VPNs, use iptables extensively, etc etc etc. 

The thing that drops the firewalls the worst, though, is sending mail - 
not just normal mail, but large amounts of mail for clients. We have two 
servers that will send this mail, and the activity usually peaks at 8 
Mbit for about 4 hours (Connections come in from one f the internal 
zones, gets SNATted on the way out, etc). Those peaks used to be at 14 
Mbit, and for shorter, until we got VRRP running.  We've capped our 
bandwidth that way because the CPU stays at 100% usage during the 
sends.     I'm sure that if we had faster CPUs, we'd be able to send 
faster. 

For a local office LAN, with incoming mail, www, and a bunch of users 
behind it, a 200 Mhz firewall would be fine. But if you want to try to 
cram a lot of stuff behind it lie us, a 1 Ghz isn't going to cut the 
mustard. 

Adam


>Or does "limits" refer to some piece of required software not included
>in smoothwall/ipcop?
>
> - BS
>
>  
>