With the current discuss of "Performance of CentOS as a NAT gateway", I am curious how many people out there are using CentOS as a Router/Firewall in an enterprise or service provider environment. For myself I am not really concerned about NAT just a stateful firewall. The other half of my questions is about performance. I have read many articles and posts on the net about performance tuning but they all seem to be about tuning a single host, not a router. Does any have any tips in this area? Is tuning even required. For the sake of the conversation lets assume I am referring to CentOS 5. Graham Johnston Manager, Network Services Westman Communications Group 204.571.7225 johnstong at westmancom.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20070911/6ae9dc0f/attachment.html>
Graham Johnston wrote:> > With the current discuss of "Performance of CentOS as a NAT > gateway", I am curious how many people out there are using > CentOS as a Router/Firewall in an enterprise or service > provider environment. For myself I am not really concerned > about NAT just a stateful firewall. > > The other half of my questions is about performance. I have > read many articles and posts on the net about performance > tuning but they all seem to be about tuning a single host, > not a router. Does any have any tips in this area? Is > tuning even required. > > For the sake of the conversation lets assume I am referring > to CentOS 5.My best tip for tuning performance: Don't until performance becomes an issue otherwise you have no basis of determining whether performance has improved. -Ross ______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
Graham Johnston wrote:> With the current discuss of "Performance of CentOS as a NAT gateway", I > am curious how many people out there are using CentOS as a > Router/Firewall in an enterprise or service provider environment. For > myself I am not really concerned about NAT just a stateful firewall.For stateful firewalls, one should use OpenBSD and pf if . netfilter has caught up on the stateful side with tcp window tracking but I do not think that support is in Centos 4 and below. Centos 5 should have it.> > The other half of my questions is about performance. I have read many > articles and posts on the net about performance tuning but they all seem > to be about tuning a single host, not a router. Does any have any tips > in this area? Is tuning even required.If it is a natting firewall, forget about performance. There is a maximum to natting support beyond configuring the maximum number of connections being tracked. Bridging stateful firewalls will find OpenBSD both more stable and better performing. Non-natting stateful firewalls no comment sorry.> > For the sake of the conversation lets assume I am referring to CentOS 5.For full stateful support, we would have to. All previous Centos only offer connection tracking.
Graham Johnston wrote:> With the current discuss of "Performance of CentOS as a NAT gateway", I > am curious how many people out there are using CentOS as a > Router/Firewall in an enterprise or service provider environment. For > myself I am not really concerned about NAT just a stateful firewall.Our firewall runs on CentOS 5, x86_64. It runs on a HP Workstation with dual core Xeon 5140 2.33 GHz. Intel dual 82571EB NIC, one NIC for the external (we have 1 Gbit internet connection), and one NIC for the internal connections (two VLANs, one with DMZ other with ~250 machines). No NAT. This is of course not a big setup, but the CentOS/Fedora mirror in the DMZ does give some traffic. The iptables setup has 119 rules. No problems whatsoever with performance. I've made a kickstart configuration for the firewall. If we get a hardware crash on the fw, we can take another machine and get it up running as a new firewill within a few minutes (the most timeconsuming is formatting the root partition). This is quite a nice setup. Mogens -- Mogens Kjaer, Carlsberg A/S, Computer Department Gamle Carlsberg Vej 10, DK-2500 Valby, Denmark Phone: +45 33 27 53 25, Fax: +45 33 27 47 08 Email: mk at crc.dk Homepage: http://www.crc.dk