[KLUG Members] A plea for firewall ideas

[Bruce Smith]

> We currently have 900 MHz celerons with 256 MB RAM, and they completely 
> choke at ~6mbit.
> 
> I think the usage of the firewall has to be closely defined; because I'm 
> positive that the traffic at work could drop that box in a heartbeat.  
> Heck, we get the 900 busy really busy.
> 
> Of course, what are we doing?
> 
> We do a lot of NAT, some SNAT, and have a handful of internal zones. We 
> have ~20 ipsec VPNs, use iptables extensively, etc etc etc. 

IMO, it's the VPN's that are using up your CPU (if they are used a lot).

That can be solved by a faster machine, or more machines.

> The thing that drops the firewalls the worst, though, is sending mail - 
> not just normal mail, but large amounts of mail for clients. We have two 
> servers that will send this mail, and the activity usually peaks at 8 
> Mbit for about 4 hours (Connections come in from one f the internal 
> zones, gets SNATted on the way out, etc). Those peaks used to be at 14 
> Mbit, and for shorter, until we got VRRP running.  We've capped our 
> bandwidth that way because the CPU stays at 100% usage during the 
> sends.     I'm sure that if we had faster CPUs, we'd be able to send 
> faster. 

I'm not following why email would be different than other internet
traffic, and why passing traffic should use so much CPU power.  
Is the firewall also the email server?  
Or maybe those email go over your VPN's?

 - BS