[unisog] IPTables as high banwidth firewall

Michael Holstein michael.holstein at csuohio.edu
Tue Aug 2 13:31:23 GMT 2005


> Though as mentioned in other posts it's important to consider the
> bandwidth requirements. PCI and even PCI-X do have some hardware limits,
> and there are also limitations in some of the gig NIC drivers too. If
> you are looking at gigabit speeds you need to be careful to ensure the
> cards you use don't have drivers with braindead interrupt handling.

Some server-class motherboards have more than one PCI buss (I've 
personally seen this in some Dell Poweredge boxes) -- each represented 
by a seperate bridge chip.

You'd want your 'inside' and 'outside' interface on the seperate busses, 
and ideally, your RAID controller on a third (if available).

Once you get into sustained high-speed I/O, it's not the interface 
bandwidth that's the problem -- it's getting that data into the CPU (and 
not having it get into the way of something else).

Consider most ATA disks (even 7.2k SATA ones) have max sustained 
transfer rate of ~20mb/sec. Consider that if you're logging on this box, 
and stripe the drives accordingly.

Another poster posed the question "what is 'High-Speed'" .. give us your 
throughput targets, number of hosts behind the box, and bandwidth line 
speed (max burst) .. and we can start making reccomendations on the best 
hardware config for this (and I'm sure others can chime in on driver 
improvements and kernel tweaks).

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University


More information about the unisog mailing list