[unisog] IPTables as high banwidth firewall
michael.holstein at csuohio.edu
Tue Aug 2 13:31:23 GMT 2005
> Though as mentioned in other posts it's important to consider the
> bandwidth requirements. PCI and even PCI-X do have some hardware limits,
> and there are also limitations in some of the gig NIC drivers too. If
> you are looking at gigabit speeds you need to be careful to ensure the
> cards you use don't have drivers with braindead interrupt handling.
Some server-class motherboards have more than one PCI buss (I've
personally seen this in some Dell Poweredge boxes) -- each represented
by a seperate bridge chip.
You'd want your 'inside' and 'outside' interface on the seperate busses,
and ideally, your RAID controller on a third (if available).
Once you get into sustained high-speed I/O, it's not the interface
bandwidth that's the problem -- it's getting that data into the CPU (and
not having it get into the way of something else).
Consider most ATA disks (even 7.2k SATA ones) have max sustained
transfer rate of ~20mb/sec. Consider that if you're logging on this box,
and stripe the drives accordingly.
Another poster posed the question "what is 'High-Speed'" .. give us your
throughput targets, number of hosts behind the box, and bandwidth line
speed (max burst) .. and we can start making reccomendations on the best
hardware config for this (and I'm sure others can chime in on driver
improvements and kernel tweaks).
Michael Holstein CISSP GCIA
Cleveland State University
More information about the unisog