Hi, I want to configure CentOS on powerful server with gigabit adapters as transparent bridge and deploy it in front of server farm. Can you tell how to optimize the OS for hight packet processing? What configurations I need to do to achieve very hight speeds and thousands of packets? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20091218/b8d110b6/attachment.html>
sadas sadas wrote:> > Hi, > I want to configure CentOS on powerful server with gigabit > adapters as transparent bridge and deploy it in front of server farm. > Can you tell how to optimize the OS for hight packet processing? What > configurations I need to do to achieve very hight speeds and thousands of > packets?iptables makes a TERRIBLE firewall, use pf instead http://www.openbsd.org/faq/pf/index.html Also consider how your going to provide redundancy, if you have a web server farm you want to protect them with at least two firewalls, not one. http://www.openbsd.org/faq/pf/carp.html I haven't used CARP myself but did setup a pair of pf firewalls about 5 years ago in a large network in bridging mode, the layer 3 fault tolerance was provided by OSPF on the core switches, the firewalls were active-active(with pfsync) since they were layer 2 only. Maybe someday linux will fix the overly complex iptables system to something that is more manageable, not holding my breath though. If you want really high speed(say multi GbE) though you'll want/need to go with an appliance based solution. Also since your referring to a web server farm, it is perfectly acceptable to not use firewalls these days, if you have a good load balancer that serves the same role as a firewall in that it only passes traffic that you specifically configure it to pass. Also in high traffic environments the performance of load balancers destroys most firewalls, making investing in a high end firewall a very expensive proposition. I've worked for the better part of the last 10 years with companies who did not have firewalls in front of their web servers for this reason, it didn't make sense $$ wise, because the benefit wasn't there, and the added complexity, and performance implications wasn't worth it either. Talk to most load balancing companies and they'll tell you this themselves. nate
I will explain more deeply. I need to deploy a firewall(s) in front of web server farm because I need to do billing - I will use CentOS with iptables + ipset to store a list if my clients so when client doesn't pay his server's IP is out of the list and he can't access the web server. Second - I know that iptables is very heavy and it's not recommended to use it in gigabit firewall but I don't have a choice as far as I know only ipset works with iptables. I don't know can pf store 500 IPs in one list. Ipset is written for that purpose. I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea? regards I'll second damn near everything nate said, and hopefully add a tidbit or two. If you're new to BSD, you may want to consider the pfsense project in the aforementioned active-active configuration. It gives you a nice, intuitive gui to manage your failover firewalls, if you insist on putting a firewall in front of your web servers. Better to secure the box, leave only the ports you need open on the public interfaces, and don't firewall them. Also, I'd strongly consider running your firewalls with no disk at all. A Live CD, CF card or USB Flash to boot off of, remote syslog and one less subsystem (disks) to buy/fail makes for some mighty cheap 1U servers. A single dual-core with core speeds above 3.0Ghz and 4GB of RAM is to pass Gb @ line rate - ethernet overhead. Truth be told, it's already being done on much less than that. You can also load balance your traffic, albiet somewhat primitively with it. If you really want massive throughput, consider toying around with extremely expensive 10G gear, size RAM appropriately, and see how PF performs under multi-processor, high-core speed. but if you're handling over a Gb of traffic and you can't split the application into multiple farms, that's the best move. Akamai, for instance, runs 10G to each rack, each rack has around 20-24 servers, and they run GB to the server. pfsense.org has extensive information about hardware requirements, features, and what you're looking to do. https://calomel.org/network_performance.html is an excellent BSD firewall performance site. One thing to note, you are claiming to want to deploy this as a passive bridge. You cannot do what you want to do running anything in bridge mode. The packets need to route somehow. Get a /29 from your colo provider and ask to have your existing block routed through it once you've tested it. Another option for a seamless failover, is to alias a different range of IP's to the server interfaces, put a /29 and whatever netblock you want to end up being your public IP block on the PFSense hardware. When you're convinced everything's working through rigorous testing, put a test domain up pointing to that block, modify virtualhost entries on the servers to respond to that domain with your production web site, and test some more. Once you're convinced that's working perfectly, make the changes in DNS to point your production domain at the IP's you want, and failover will happen with DNS convergence. Peter On Fri, Dec 18, 2009 at 9:06 AM, nate centos at linuxpowered.net > wrote: sadas sadas wrote:> > Hi, >I want to configure CentOS on powerful server with gigabit> adapters as transparent bridge and deploy it in front of server farm. > Can you tell how to optimize the OS for hight packet processing? What > configurations I need to do to achieve very hight speeds and thousands of >packets? iptables makes a TERRIBLE firewall, use pf instead http://www.openbsd.org/faq/pf/index.html Also consider how your going to provide redundancy, if you have a web server farm you want to protect them with at least two firewalls, not one. http://www.openbsd.org/faq/pf/carp.html I haven't used CARP myself but did setup a pair of pf firewalls about 5 years ago in a large network in bridging mode, the layer 3 fault tolerance was provided by OSPF on the core switches, the firewalls were active-active(with pfsync) since they were layer 2 only. Maybe someday linux will fix the overly complex iptables system to something that is more manageable, not holding my breath though. If you want really high speed(say multi GbE) though you'll want/need to go with an appliance based solution. Also since your referring to a web server farm, it is perfectly acceptable to not use firewalls these days, if you have a good load balancer that serves the same role as a firewall in that it only passes traffic that you specifically configure it to pass. Also in high traffic environments the performance of load balancers destroys most firewalls, making investing in a high end firewall a very expensive proposition. I've worked for the better part of the last 10 years with companies who did not have firewalls in front of their web servers for this reason, it didn't make sense $ wise, because the benefit wasn't there, and the added complexity, and performance implications wasn't worth it either. Talk to most load balancing companies and they'll tell you this themselves. nate -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20091218/e11929a0/attachment.html>
On Fri, Dec 18, 2009 at 2:36 PM, sadas sadas <mailrc at abv.bg> wrote:> I can't find information is there linux or BSD distribution with effective > firewall that uses optimized algorithm to store hundreds of IPs and to > forward huge traffic. Any idea?I think you'll find that this kind of thing can be handled by pf without pf breaking a sweat. And you can ask 100 people what they think you'll find and get 100 different answers. What you really need to do is configure this setup for a controlled test. Only then will you have a good idea what to expect when you go into production.
sadas sadas wrote:> I can't find information is there linux or BSD distribution with effective > firewall that uses optimized algorithm to store hundreds of IPs and to > forward huge traffic. Any idea?Hundreds? http://www.openbsd.org/faq/pf/tables.html "A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups against a table are very fast and consume less memory and processor time than lists. For this reason, a table is ideal for holding a large group of addresses as the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses. Tables can be used in the following ways: * source and/or destination address in filter, NAT, and redirection rules. * translation address in NAT rules. * redirection address in redirection rules. * destination address in route-to, reply-to, and dup-to filter rule options." nuff said ? I love linux, I've been using it for almost 15 years now, I absolutely hate iptables(and ipchains, and ipfwadm). By contrast I absolutely hate everything about OpenBSD except for pf(which I love, ipfw and ipf aren't too bad either, at least for the era), so I use OpenBSD for firewalls, and linux for everything else. nate
after quick search in google: http://postfactum.pl.ua/pf/ I will test to patch latest linux kernel with pf. What do you thing? >sadas sadas wrote: > >> I can't find information is there linux or BSD distribution with effective >> firewall that uses optimized algorithm to store hundreds of IPs and to >> forward huge traffic. Any idea? > >Hundreds? > >http://www.openbsd.org/faq/pf/tables.html > >"A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups >against a table are very fast and consume less memory and processor time >than lists. For this reason, a table is ideal for holding a large group of >addresses as the lookup time on a table holding 50,000 addresses is only >slightly more than for one holding 50 addresses. Tables can be used in the >following ways: > > * source and/or destination address in filter, NAT, and redirection rules. > * translation address in NAT rules. > * redirection address in redirection rules. > * destination address in route-to, reply-to, and dup-to filter rule >options." > >nuff said ? > >I love linux, I've been using it for almost 15 years now, I absolutely >hate iptables(and ipchains, and ipfwadm). By contrast I absolutely >hate everything about OpenBSD except for pf(which I love, ipfw and >ipf aren't too bad either, at least for the era), so I use OpenBSD >for firewalls, and linux for everything else. > >nate > > >_______________________________________________ >CentOS mailing list >CentOS at centos.org >http://lists.centos.org/mailman/listinfo/centos > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20091218/617f260b/attachment.html>
> after quick search in google: > > http://postfactum.pl.ua/pf/ > > I will test to patch latest linux kernel with pf. > What do you thing?Get OpenBSD. Honestly -- all the porting stuff of relatively kernel-close stuff is just braindead. Timo> >sadas sadas wrote: > > > >> I can't find information is there linux or BSD distribution with effective > >> firewall that uses optimized algorithm to store hundreds of IPs and to > >> forward huge traffic. Any idea? > > > >Hundreds? > > > >http://www.openbsd.org/faq/pf/tables.html > > > >"A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups > >against a table are very fast and consume less memory and processor time > >than lists. For this reason, a table is ideal for holding a large group of > >addresses as the lookup time on a table holding 50,000 addresses is only > >slightly more than for one holding 50 addresses. Tables can be used in the > >following ways: > > > > * source and/or destination address in filter, NAT, and redirection rules. > > * translation address in NAT rules. > > * redirection address in redirection rules. > > * destination address in route-to, reply-to, and dup-to filter rule > >options." > > > >nuff said ? > > > >I love linux, I've been using it for almost 15 years now, I absolutely > >hate iptables(and ipchains, and ipfwadm). By contrast I absolutely > >hate everything about OpenBSD except for pf(which I love, ipfw and > >ipf aren't too bad either, at least for the era), so I use OpenBSD > >for firewalls, and linux for everything else. > > > >nate
What about NetBSD? I heard that NetBSD has the best network stack out there. Maybe NetBSD with pf is the best choice? >>> I can't find information is there linux or BSD distribution with effective >>> firewall that uses optimized algorithm to store hundreds of IPs and to >>> forward huge traffic. Any idea? >> >> Hundreds? >> >> http://www.openbsd.org/faq/pf/tables.html >> >> "A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups >> against a table are very fast and consume less memory and processor time >> than lists. For this reason, a table is ideal for holding a large group of >> addresses as the lookup time on a table holding 50,000 addresses is only >> slightly more than for one holding 50 addresses. Tables can be used in the >> following ways: >> >> * source and/or destination address in filter, NAT, and redirection rules. >> * translation address in NAT rules. >> * redirection address in redirection rules. >> * destination address in route-to, reply-to, and dup-to filter rule >> options." >> >> nuff said ? >> >> I love linux, I've been using it for almost 15 years now, I absolutely >> hate iptables(and ipchains, and ipfwadm). By contrast I absolutely >> hate everything about OpenBSD except for pf(which I love, ipfw and >> ipf aren't too bad either, at least for the era), so I use OpenBSD >> for firewalls, and linux for everything else. > >I can back this; during 2009, I deployed a bunch of load balancers >running OpenBSD (using pf, carpd, and relayd). I used to be a super die >hard BSD guy, but through the years and having used/deployed/propagated >NetBSD, then FreeBSD, then OpenBSD, then NetBSD again, I took one of my >usual once-a-year looks at GNU/Linux (this time, it was CentOS, after >having worked with RHEL for some years), I got settled here. > >Long story short: I'd really recommend OpenBSD for your task. iptables >really sucks. I recently deployed some machines running several virtual >instances (however still the cheapest *proven* way to get several IP >stacks in Linux) doing L2 routing, I threw iptables off of that machines >because it just can't handle stuff at that rate. OpenBSD rocks, I even >have a setup running (active-active, load balanced) at about 40Mbps >using Alix boards [0] -- they rock, and they are no way busy. > >OpenBSDs documentation is the best out there, it's documentational >quality is what I really really badly miss in the Linux world. However, >the community is a bunch of (sorry in advance) assholes. But this is >well known throughout the internet, so: You have been warned. Great >product, totally lame vendor. ;) > >Timo > >[0] -- http://pcengines.ch/alix.htm > >> nate >_______________________________________________ >CentOS mailing list >CentOS at centos.org >http://lists.centos.org/mailman/listinfo/centos > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20091218/02c4d11e/attachment.html>
> What about NetBSD? I heard that NetBSD has the best network stack out > there. Maybe NetBSD with pf is the best choice?NetBSD is a very nice OS, I personally like it most (out of all BSDs out there); however, as can be read on http://www.netbsd.org/docs/network/pf.html there's the 'usual lag': OpenBSD implements feature X in 4.6, wait some time to see it implemented elsewhere. One of the biggest strengths of OpenBSD is that it's really a completely rounded piece of work. Keep it that way. pf will perform best on OpenBSD, with all the nice features it has. HTH, Timo>>>> I can't find information is there linux or BSD distribution >>>> with effective firewall that uses optimized algorithm to store >>>> hundreds of IPs and to forward huge traffic. Any idea? >>> >>> Hundreds? >>> >>> http://www.openbsd.org/faq/pf/tables.html >>> >>> "A table is used to hold a group of IPv4 and/or IPv6 addresses. >>> Lookups against a table are very fast and consume less memory and >>> processor time than lists. For this reason, a table is ideal for >>> holding a large group of addresses as the lookup time on a table >>> holding 50,000 addresses is only slightly more than for one >>> holding 50 addresses. Tables can be used in the following ways: >>> >>> * source and/or destination address in filter, NAT, and >>> redirection rules. * translation address in NAT rules. * >>> redirection address in redirection rules. * destination address >>> in route-to, reply-to, and dup-to filter rule options." >>> >>> nuff said ? >>> >>> I love linux, I've been using it for almost 15 years now, I >>> absolutely hate iptables(and ipchains, and ipfwadm). By contrast >>> I absolutely hate everything about OpenBSD except for pf(which I >>> love, ipfw and ipf aren't too bad either, at least for the era), >>> so I use OpenBSD for firewalls, and linux for everything else. >> >> I can back this; during 2009, I deployed a bunch of load balancers >> running OpenBSD (using pf, carpd, and relayd). I used to be a super >> die hard BSD guy, but through the years and having >> used/deployed/propagated NetBSD, then FreeBSD, then OpenBSD, then >> NetBSD again, I took one of my usual once-a-year looks at GNU/Linux >> (this time, it was CentOS, after having worked with RHEL for some >> years), I got settled here. >> >> Long story short: I'd really recommend OpenBSD for your task. >> iptables really sucks. I recently deployed some machines running >> several virtual instances (however still the cheapest *proven* way >> to get several IP stacks in Linux) doing L2 routing, I threw >> iptables off of that machines because it just can't handle stuff at >> that rate. OpenBSD rocks, I even have a setup running >> (active-active, load balanced) at about 40Mbps using Alix boards >> [0] -- they rock, and they are no way busy. >> >> OpenBSDs documentation is the best out there, it's documentational >> quality is what I really really badly miss in the Linux world. >> However, the community is a bunch of (sorry in advance) assholes. >> But this is well known throughout the internet, so: You have been >> warned. Great product, totally lame vendor. ;) >> >> Timo >> >> [0] -- http://pcengines.ch/alix.htm >> >>> nate
sadas sadas wrote:> > after quick search in google: > > http://postfactum.pl.ua/pf/ > > I will test to patch latest linux kernel with pf. > What do you thing?Don't know, my first bet would be to try Debian/BSD and see if ipf is in there, it's not officially released yet but it will be in the next major release of Debian. http://www.debian.org/News/2009/20091007 nate (been using debian for ~12 years)
The syntax is not a problem. The problem is in the performance. I suppose that if I configure OpenBSD to process the in/out packets only to layer 2 the performance will be much more than linux with iptables. >> I don't know jack about IPSet, but I know enabling or disabling hosts in >> bare stock PF without the gui in front of it is about as easy as it gets. > >IPTALES is the same; > >iptables -A [INPUT/FORWARD] -d -j [REJECT/DROP] > >> The PF configuration file syntax was designed from the ground up to be >> sane, unlike iptables, which typically needs some decent sysadmin scripting >> or using fwbuilder to make any good sense of. > >I beg to differ here. IPTABLES is not that hard when you understand it. Like >anything else, once you know what you are doing it isn't that hard. And no, >I have never used any GUI program to configure my firewalls. > >> There is no finer opensource firewall product on the market, in terms of >> performance, ease of configuration and use, and other issues. > >This is all subjective to the user. I would say that PF is a nightmare and >IPTABLES is easier to use. > >> If you're not opposed to vi, for what you're looking to accomplish, moving >> to BSD and pf is a no-brainer. PF can definitely handle a list of 500 >> hosts and anything else you've mentioned. It's absolutely capable, easier, >> and in general, for anything that involves packet filtering at all, about >> as good as it gets. > >Again this is all subjective to the user. > > >-- > >Regards >Robert > >Linux User #296285 >http://counter.li.org >_______________________________________________ >CentOS mailing list >CentOS at centos.org >http://lists.centos.org/mailman/listinfo/centos > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20091219/d01fe900/attachment.html>
Chan Chung Hang Christopher
2009-Dec-20 15:45 UTC
[CentOS] Optimizing CentOS for gigabit firewall
sadas sadas wrote:> The syntax is not a problem. The problem is in the performance. I suppose that if I configure OpenBSD to process the in/out packets only to layer 2 the performance will be much more than linux with iptables. >You know SQUAT about filtering on Linux. You want a bridging solution? Then forget about Linux. Even FreeBSD will perform better at bridging firewalling than Linux and OpenBSD is the best performer available. That ipset solution came way after OpenBSD and pf had such a feature and which was already mature and stable too. I should know, I tested ipset while it was still new some years ago.
What solution for gigabit firewall can you suggest? Witch OS and packet filter is capable to atcheave hight performance and gigabit speeds? >Les Mikesell wrote: >> Timo Schoeler wrote: >>>> What about NetBSD? I heard that NetBSD has the best network stack out >>>> there. Maybe NetBSD with pf is the best choice? >>> NetBSD is a very nice OS, I personally like it most (out of all BSDs out >>> there); however, as can be read on >>> >>> http://www.netbsd.org/docs/network/pf.html >>> >>> there's the 'usual lag': OpenBSD implements feature X in 4.6, wait some >>> time to see it implemented elsewhere. >>> >>> One of the biggest strengths of OpenBSD is that it's really a completely >>> rounded piece of work. Keep it that way. pf will perform best on >>> OpenBSD, with all the nice features it has. >> >> Has anyone used Firewall Builder to create a complex set of iptables >> rules? Or compared performance where it built the same thing for >> linux/iptables and bsd/pf? >> > > >Are you joking? That piece of crap just puts everything into one single >chain. I never EVER use Firewall Builder after I saw the results the >first time. > >For a BRIDGING firewall, there is absolutely NO WAY that Linux/netfilter >can keep up with OpenBSD/pf. I doubt that Linux/netfilter can even reach >half the performance of OpenBSD/pf. >_______________________________________________ >CentOS mailing list >CentOS at centos.org >http://lists.centos.org/mailman/listinfo/centos > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20091220/5523fb56/attachment.html>
On Fri, Dec 18, 2009 at 12:06 PM, nate <centos at linuxpowered.net> wrote:> iptables makes a TERRIBLE firewall, use pf instead > > http://www.openbsd.org/faq/pf/index.htmlI whole heartedly with Nate on this! I spent a bunch of time looking at firewall solutions a year or two back, and PF was by far the easiest solution to manage and get up and running. There are also some killer tools for monitoring PF activity: http://prefetch.net/articles/monitoringpf.html - Ryan -- http://prefetch.net
On Fri, Dec 18, 2009 at 09:36:57PM +0200, sadas sadas wrote:> I will explain more deeply. I need to deploy a firewall(s) in front of web > server farm because I need to do billing - I will use CentOS with iptables > + ipset to store a list if my clients so when client doesn't pay his > server's IP is out of the list and he can't access the web server. > > Second - I know that iptables is very heavy and it's not recommended to > use it in gigabit firewall but I don't have a choice as far as I know only > ipset works with iptables. I don't know can pf store 500 IPs in one list. > Ipset is written for that purpose. > > I can't find information is there linux or BSD distribution with effective > firewall that uses optimized algorithm to store hundreds of IPs and to > forward huge traffic. Any idea? >I've been using Linux (CentOS5) on gigabit firewalls, for thousands of users. No problems. Just make sure ip_conntrack_max is big enough, so you don't run out of connections. There are other things to tune to optimize the performance, but it's certainly doable with linux+iptables. -- Pasi> regards > > <peter.serwe at gmail.com><centos at centos.org>I'll second damn near everything > nate said, and hopefully add a tidbit or two. > > If you're new to BSD, you may want to consider the pfsense project in the > aforementioned active-active configuration. > > It gives you a nice, intuitive gui to manage your failover firewalls, if > you insist on putting a firewall in front of your web servers. > > Better to secure the box, leave only the ports you need open on the public > interfaces, and don't firewall them. > > Also, I'd strongly consider running your firewalls with no disk at all. A > Live CD, CF card or USB Flash to boot off of, remote syslog and > one less subsystem (disks) to buy/fail makes for some mighty cheap 1U > servers. A single dual-core with core speeds above 3.0Ghz > and 4GB of RAM is to pass Gb @ line rate - ethernet overhead. Truth be > told, it's already being done on much less > than that. You can also load balance your traffic, albiet somewhat > primitively with it. If you really want massive throughput, consider > toying > around with extremely expensive 10G gear, size RAM appropriately, and see > how PF performs under multi-processor, high-core speed. > but if you're handling over a Gb of traffic and you can't split the > application into multiple farms, that's the best move. > > Akamai, for instance, runs 10G to each rack, each rack has around 20-24 > servers, and they run GB to the server. > > [1]pfsense.org has extensive information about hardware requirements, > features, and what you're looking to do. > > [2]https://calomel.org/network_performance.html is an excellent BSD > firewall performance site. > > One thing to note, you are claiming to want to deploy this as a passive > bridge. You cannot do what you want to do > running anything in bridge mode. The packets need to route somehow. Get > a /29 from your colo provider and ask > to have your existing block routed through it once you've tested it. > > Another option for a seamless failover, is to alias a different range of > IP's to the server interfaces, put a /29 and whatever > netblock you want to end up being your public IP block on the PFSense > hardware. When you're convinced everything's > working through rigorous testing, put a test domain up pointing to that > block, modify virtualhost entries on the servers to > respond to that domain with your production web site, and test some more. > Once you're convinced that's working perfectly, > make the changes in DNS to point your production domain at the IP's you > want, and failover will happen with DNS convergence. > > Peter > > On Fri, Dec 18, 2009 at 9:06 AM, nate <[3]centos at linuxpowered.net> wrote: > > sadas sadas wrote: > > > > Hi, > > I want to configure CentOS on powerful server with gigabit > > adapters as transparent bridge and deploy it in front of server farm. > > Can you tell how to optimize the OS for hight packet processing? What > > configurations I need to do to achieve very hight speeds and thousands > of > > packets? > > iptables makes a TERRIBLE firewall, use pf instead > > [4]http://www.openbsd.org/faq/pf/index.html > > Also consider how your going to provide redundancy, if you have a web > server farm you want to protect them with at least two firewalls, not > one. > > [5]http://www.openbsd.org/faq/pf/carp.html > > I haven't used CARP myself but did setup a pair of pf firewalls about > 5 years ago in a large network in bridging mode, the layer 3 fault > tolerance was provided by OSPF on the core switches, the firewalls > were active-active(with pfsync) since they were layer 2 only. > > Maybe someday linux will fix the overly complex iptables system to > something that is more manageable, not holding my breath though. > > If you want really high speed(say multi GbE) though you'll want/need > to go with an appliance based solution. > > Also since your referring to a web server farm, it is perfectly > acceptable to not use firewalls these days, if you have a good > load balancer that serves the same role as a firewall in that it > only passes traffic that you specifically configure it to pass. Also > in high traffic environments the performance of load balancers > destroys most firewalls, making investing in a high end firewall > a very expensive proposition. > > I've worked for the better part of the last 10 years with > companies who did not have firewalls in front of their web servers > for this reason, it didn't make sense $ wise, because the benefit > wasn't there, and the added complexity, and performance implications > wasn't worth it either. Talk to most load balancing companies and > they'll tell you this themselves. > nate > > </centos at centos.org></peter.serwe at gmail.com> > > References > > Visible links > 1. http://pfsense.org/ > 2. https://calomel.org/network_performance.html > 3. mailto:centos at linuxpowered.net > 4. http://www.openbsd.org/faq/pf/index.html > 5. http://www.openbsd.org/faq/pf/carp.html> _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos
>I've been using Linux (CentOS5) on gigabit firewalls, for thousands of>users. No problems. > >Just make sure ip_conntrack_max is big enough, so you don't run out of >connections. > >There are other things to tune to optimize the performance, but it's >certainly doable with linux+iptables. > >-- Pasi > Would you provide us information about how the firewalls are configured, the hardware, the total bandwidth passing the firewall in each direction and the connections in the busiest hours. regards -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20091221/163a37ee/attachment.html>
>Some months ago there was discussions about 10 gbit performance with>Linux. Some guys were pushing over 70 Gbit/sec through a single linux >box. 70 Gbit/sec ? Maybe with port aggravation it's possible. Can you give some more info about that guys. To achieve that hight throughput maybe it's necessary to cut most of the OS and the kernel, leaving only the necessary. I'm very interested to read more information about the experiment. regards p.s here you can see 10 Gbit/s experiment http://haproxy.1wt.eu/10g.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20091221/dc89a788/attachment.html>
On Mon, Dec 21, 2009 at 12:04:32PM +0200, sadas sadas wrote:> <pasik at iki.fi><centos at centos.org> > >Some months ago there was discussions about 10 gbit performance with > >Linux. Some guys were pushing over 70 Gbit/sec through a single linux > >box. > > </centos at centos.org></pasik at iki.fi>70 Gbit/sec ? Maybe with port > aggravation it's possible. Can you give some more info about that guys. To > achieve that hight throughput maybe it's necessary to cut most of the OS > and the kernel, leaving only the necessary. I'm very interested to read > more information about the experiment. > > regards > > p.s here you can see 10 Gbit/s experiment > http://haproxy.1wt.eu/10g.htmlSee this thread: http://groups.google.com/group/linux.kernel/browse_thread/thread/70e62d8a85cd3241 quote: "We also achieved nearly 80 Gbps in bidirectional TCP tests (40 Gbps simultaneously in each direction): This was using 2 dual-port 10-GigE NICs in the first two PCIe 2.0 slots. We are using an Intel i7 965 quad-core 3.2 GHz Nehalem processor (overclocked to 3.4 GHz) and 2000 MHz DDR3 memory. Adding an additional dual-port 10-GigE NIC on the Nvidia N200 chip does only marginally better, as it appears we are basically CPU limited at this point for this test (the sum of the TX and RX CPU utilization for each pair of 10-GigE interfaces is about 93%). " -- Pasi