From: Harald Welte <laforge@netfilter.org>
To: Scott Switzer <scott@switzer.org>
Cc: netfilter@lists.netfilter.org
Subject: Re: IPTables Performance...
Date: Fri, 30 Jul 2004 10:15:17 +0200 [thread overview]
Message-ID: <20040730081517.GM17067@sunbeam2> (raw)
In-Reply-To: <4104105C.4040306@switzer.org>
[-- Attachment #1: Type: text/plain, Size: 1696 bytes --]
[Cc'ing netfilter list, since that is the right place for this kind of
question]
On Sun, Jul 25, 2004 at 08:56:12PM +0100, Scott Switzer wrote:
> My company serves thousands of small HTTP requests per second (roughly
> 3000 connections per second with a max of 10k request size - 50Mbps
> bandwidth), and we have just maxed out our Netscreen 204 (128,000
> simultanious sessions). The next level of Netscreen is roughly $50K,
> and I received advice to use either iptables or pf rather than a
> proprietary firewall. Since our requirements regarding the complexity
> of a firewall (outside of throughput) are reletively small (no complex
> rule sets), I am willing to look at this option.
>
> In short:
> Can iptables manage this kind of load?
sure!
> What are the hardware resources that are needed for this? I have a AMD
> 2.2Ghz Opteron with 2Gb memory which could be used for this task. It
> this sufficient?
I would say it's way more than sufficient ;) I've been doing firewall
benchmarking at multiple gigabit speeds on dual opteron boxes ;)... with
a single opteron you should be able to do at least 250.000 packets per
second, even without any tuning and a very suboptimal ruleset.
> What kernel would you recommend for this?
2.6.7
> Cheers,
> Scott Switzer
--
- Harald Welte <laforge@netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next parent reply other threads:[~2004-07-30 8:15 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <4104105C.4040306@switzer.org>
2004-07-30 8:15 ` Harald Welte [this message]
2005-05-25 19:20 iptables performance Martin Schiøtz
2005-05-25 21:25 ` Jason Opperisano
2005-05-26 9:22 ` Martin Schiøtz
2007-02-15 19:48 Bart Duchesne
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040730081517.GM17067@sunbeam2 \
--to=laforge@netfilter.org \
--cc=netfilter@lists.netfilter.org \
--cc=scott@switzer.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.