[unisog] IPTables as high banwidth firewall

Peter Van Epp vanepp at sfu.ca
Wed Aug 3 23:07:09 GMT 2005

On Wed, Aug 03, 2005 at 03:00:45PM -0700, Johan van Reijendam wrote:
> All,
> First of all thank you for your replies so far.
> In reply to the question of what my throughput would be. I would like to 
> be able to put this firewall on a gigabit link. In many cases traffic 
> will be VLAN tagged. The system will most likely not be used at wire 
> speed but the closer I can get the better. Any tips, tweaks and 
> suggestions welcome.
	In addition to those issues you have already noted a couple more:

1) interleaved RAM (the more interleaved the better) you are also close to 
   ram bandwith limits at a gig (around 8 memory accesses per byte if I recall
   correctly at wire speed gig. Note you are sharing the RAM with the CPU to
   execute instructions in most cases as well as using it to transfer packets
   between cards). 

2) Interrupt moderation enabled on your gig cards. This means that the card
   doesn't interrupt for every packet (both Intel Pro and modern SysKonnect
   cards do this). It plays hell with interpacket timing but also drops 
   CPU utilization by a largish amount because interrupts are expensive. 

3) no logging to disk (preferably no disk I/O at all, a memory file system that
   boots from CD would be a good bet) on the box, log to a network port and 
   log to disk on another box. The disk I/O will likely block the PCI bus long 
   enough to cause packet loss in the interface cards at high speed.

	Here are a couple of interesting papers on making Gig cards go fast 
from the HPC community (in this instance physists are your friends, they like
to transfer terabytes of data around the world at high speeds and therefore 
poke at things like gig cards and machines to see what goes fast on high speed
high latency networks).



Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the unisog mailing list