[unisog] IPTables as high banwidth firewall
Peter Van Epp
vanepp at sfu.ca
Wed Aug 3 23:07:09 GMT 2005
On Wed, Aug 03, 2005 at 03:00:45PM -0700, Johan van Reijendam wrote:
> First of all thank you for your replies so far.
> In reply to the question of what my throughput would be. I would like to
> be able to put this firewall on a gigabit link. In many cases traffic
> will be VLAN tagged. The system will most likely not be used at wire
> speed but the closer I can get the better. Any tips, tweaks and
> suggestions welcome.
In addition to those issues you have already noted a couple more:
1) interleaved RAM (the more interleaved the better) you are also close to
ram bandwith limits at a gig (around 8 memory accesses per byte if I recall
correctly at wire speed gig. Note you are sharing the RAM with the CPU to
execute instructions in most cases as well as using it to transfer packets
2) Interrupt moderation enabled on your gig cards. This means that the card
doesn't interrupt for every packet (both Intel Pro and modern SysKonnect
cards do this). It plays hell with interpacket timing but also drops
CPU utilization by a largish amount because interrupts are expensive.
3) no logging to disk (preferably no disk I/O at all, a memory file system that
boots from CD would be a good bet) on the box, log to a network port and
log to disk on another box. The disk I/O will likely block the PCI bus long
enough to cause packet loss in the interface cards at high speed.
Here are a couple of interesting papers on making Gig cards go fast
from the HPC community (in this instance physists are your friends, they like
to transfer terabytes of data around the world at high speeds and therefore
poke at things like gig cards and machines to see what goes fast on high speed
high latency networks).
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the unisog