Shorewall users - Oct 2010 - Hardware requirements

Does anyone have any suggestions for hardware requirements?  Will a single
core have the same throughput as a dual core?  Amount of RAM?  I will be
using Ubuntu Server.


-Jeffrey Gray


------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

Shorewall doesn''t run in memory, it just prepares rules for iptables 
and loads them in a sane fashion.  Therefore, the requirements for 
shorewall aren''t anything more than the sum of the components.  as 
that''s the case, there are people running effective linux firewalls on 
pentium 2 and pentium 3 systems.  Anything you have should be 
sufficient.  As for RAM, your OS minimum should also be sufficient, 
though more is always better, that only goes so far for packet switching 
applications.  I ran shorewall on a system with 64MB RAM briefly, and it 
worked fine.

On 10/10/2010 8:52 PM, Smokin Chevy wrote:
> Does anyone have any suggestions for hardware requirements?  Will a 
> single core have the same throughput as a dual core?  Amount of RAM?  
> I will be using Ubuntu Server.
>
>
> -Jeffrey Gray
>
>
>
------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2&  L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

> Does anyone have any suggestions for hardware requirements?  Will a single
> core have the same throughput as a dual core?  Amount of RAM?  I will be
> using Ubuntu Server.
Do you want to push some Mbits/s or multi Gbits/s through your firewall
and do you plan to handle VPN connections terminated on the same box? That
can make a difference but without any information nobody can really tell
you something useful.

Simon
>
>
> -Jeffrey Gray
>
------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
>
http://p.sf.net/sfu/beautyoftheweb_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

Would it be advisable though to stick to intel nics over realtecs?  I know
when building untangle firewall / filter servers everyone advises to stay
away from realtecks and marvells.

I am trying to build this with as little slow down as possible.



On Mon, Oct 11, 2010 at 12:17 AM, Christ Schlacta <aarcane@gmail.com>
wrote:
>  Shorewall doesn''t run in memory, it just prepares rules for
iptables and
> loads them in a sane fashion.  Therefore, the requirements for shorewall
> aren''t anything more than the sum of the components.  as
that''s the case,
> there are people running effective linux firewalls on pentium 2 and pentium
> 3 systems.  Anything you have should be sufficient.  As for RAM, your OS
> minimum should also be sufficient, though more is always better, that only
> goes so far for packet switching applications.  I ran shorewall on a system
> with 64MB RAM briefly, and it worked fine.
>
>
> On 10/10/2010 8:52 PM, Smokin Chevy wrote:
>
> Does anyone have any suggestions for hardware requirements?  Will a single
> core have the same throughput as a dual core?  Amount of RAM?  I will be
> using Ubuntu Server.
>
>
> -Jeffrey Gray
>
>
>
------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta
today.http://p.sf.net/sfu/beautyoftheweb
>
>
> _______________________________________________
> Shorewall-users mailing
listShorewall-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
>
>
------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

Stick to Intel cards. I had problems with Realtek cards and Debian.

Best
Sebastian

Am 11.10.2010 um 13:29 schrieb Smokin Chevy:
> Would it be advisable though to stick to intel nics over realtecs?  I know
when building untangle firewall / filter servers everyone advises to stay away
from realtecks and marvells.
> 
> I am trying to build this with as little slow down as possible.
> 
> 
> 
> On Mon, Oct 11, 2010 at 12:17 AM, Christ Schlacta <aarcane@gmail.com>
wrote:
> Shorewall doesn''t run in memory, it just prepares rules for
iptables and loads them in a sane fashion.  Therefore, the requirements for
shorewall aren''t anything more than the sum of the components.  as
that''s the case, there are people running effective linux firewalls on
pentium 2 and pentium 3 systems.  Anything you have should be sufficient.  As
for RAM, your OS minimum should also be sufficient, though more is always
better, that only goes so far for packet switching applications.  I ran
shorewall on a system with 64MB RAM briefly, and it worked fine.
> 
> 
> On 10/10/2010 8:52 PM, Smokin Chevy wrote:
>> Does anyone have any suggestions for hardware requirements?  Will a
single core have the same throughput as a dual core?  Amount of RAM?  I will be
using Ubuntu Server.
>> 
>> 
>> -Jeffrey Gray
>> 
>>
------------------------------------------------------------------------------
>> Beautiful is writing same markup. Internet Explorer 9 supports
>> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
>> Spend less time writing and  rewriting code and more time creating
great
>> experiences on the web. Be a part of the beta today.
>> http://p.sf.net/sfu/beautyoftheweb
>> 
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 
> 
>
------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 
> 
>
------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
>
http://p.sf.net/sfu/beautyoftheweb_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

On Mon, Oct 11, 2010 at 08:06:50AM +0200, Simon Matter
wrote:
> > Does anyone have any suggestions for hardware requirements?  Will a
single
> > core have the same throughput as a dual core?  Amount of RAM?  I will
be
> > using Ubuntu Server.
> 
> Do you want to push some Mbits/s or multi Gbits/s through your firewall
> and do you plan to handle VPN connections terminated on the same box? That
> can make a difference but without any information nobody can really tell
> you something useful.
> 
It is also worth noting that if you wish to do traffic shaping that will
impact your hardware requirements as well.  It is worth noting that if
you plan to do traffic shaping or accounting, that will require more
powerful hardware.

However, Simon is right.  Without more details it is impossible to give
you anything resembling a sensible answer.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

I will be pushing 25 - 30 Mbps at this point.  This will have a private
internal network with "Average" usage behind it.  Up until now I have
always
had a FreeBSD box doing this job with no port forwards (Basically just an
internet sharing role).  I plan on redoing the box as it has started having
slight hardware issues and decided to go Ubuntu/Shorewall since that is what
they use at my work (which I took over as IT Manager and admin the box).
Now the only networking changes that I am considering doing is moving some
public servers to behind it.  I have had a FreeBSD email server, Ubuntu
Asterisk server, CentOS Web server, and a Windows 2k8 server open to the
internet with real world IP addresses.  I know, everyone is cringing right
about now, but I have kept up with the local security on the boxes and not
had a problem.  The asterisk box is running showewall on it for it''s
own
protection (I cut out most of the crap out there by black listing Russia and
China).  Anyway, I have been thinking of moving those boxes to behind the
firewall.  At that point it will be routing for a half dozen low volume
websites and a half dozen email domains.

On Mon, Oct 11, 2010 at 9:00 AM, Roberto C. Sánchez
<roberto@connexer.com>wrote:
> On Mon, Oct 11, 2010 at 08:06:50AM +0200, Simon Matter wrote:
> > > Does anyone have any suggestions for hardware requirements?  Will
a
> single
> > > core have the same throughput as a dual core?  Amount of RAM?  I
will
> be
> > > using Ubuntu Server.
> >
> > Do you want to push some Mbits/s or multi Gbits/s through your
firewall
> > and do you plan to handle VPN connections terminated on the same box?
> That
> > can make a difference but without any information nobody can really
tell
> > you something useful.
> >
> It is also worth noting that if you wish to do traffic shaping that will
> impact your hardware requirements as well.  It is worth noting that if
> you plan to do traffic shaping or accounting, that will require more
> powerful hardware.
>
> However, Simon is right.  Without more details it is impossible to give
> you anything resembling a sensible answer.
>
> Regards,
>
> -Roberto
>
> --
> Roberto C. Sánchez
>
http://people.connexer.com/~roberto<http://people.connexer.com/%7Eroberto>
> http://www.connexer.com
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iQIcBAEBCAAGBQJMsxh5AAoJECzXeF7dp7IPgtUP/1zdIsgKwKuBP/9sOQ1FvWWg
> Z7wdJgDpO9gP2PmIVLmClw2fUJYomxV5tjb2Clj5I3a3a+YOiASF0WQtyqHSZi0A
> 8lJB9z+kfRu0Z4jMz79+kznl3z6dqkEg+X1BCulMoFPK9IXzfBojOmNmqsOdD8St
> yhKckqoCeIqNht+kHwazokTg+bTVpFvSJ3RZlBMtBSUOS8ZVnSNN662rbD7IcbAk
> 9UYxbr7SgNBklfX+qk5jKFgEXEoxTvnMOncAqBtEzioGZrPkSfd8YsbcgyC13h1C
> OwAOyJkvcS5WvUal+TN6czy65v4FbcOdNv4bCbYCwdTm2Unb4nbL+qyv49cBlaVl
> 81QYEPV2pSp1DvSL1zj/6QthYplgNQmCpAF1VGRekZviyAZ+E/5DrXiP3z/Mt8Dz
> USOUjyonzE+PacLKOhhZ6fc6MTRg1slQFjpQaI+CXletY2RsdZv+1BGcOaMvjERQ
> jk1sRAFuFOEjJRZGogT7ABPMSCV3KuI4MZ3ODT8H6jqE2efPpq49kX6Y4E4E8A37
> R/t454+zPReZrCUneJh621ArCb7Fuz0/xCTG8bjGc2LM1TregaROcYLqBcJj9Ikq
> sDskQYv+/jwyb4m7qIKYjnEDNKmqTpdU9Cmhrnkn5HpnAE8GCqwi9TnphfyeycoR
> v7J2VWfJh2UbGeGj0dkV
> =Yaoo
> -----END PGP SIGNATURE-----
>
>
>
------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

This should work on most hardware. As stated, hardware requirements seem
more dependent on other services. I run shorewall both at home and at the
office. Both run squid as a transparent proxy (as a caching server for local
users) and the server at home runs postfix (mail) as a primary mail server
for domain and a backup mail server. BIND/DNS is also running on both. The
both used to be P4 3GHz with 1/1.5GB og RAM. 

Both ran without problems og performance issues.  :-)

 

But the main reason I write is to recommend that you look at the “Proxy ARP”
functionality

http://www.shorewall.net/ProxyARP.htm

 

 

This should end your public-IP-usage-without-protection situation :-)

I love this feature!

 

Most servers I run are linux boxes, and shorewall being so brilliant that it
is (thanks Tom!) I run it locally on all the servers even if the hole net is
behind a shorewall “proxy ARP” firewall. 

 

 

Kristian Marthinussen

---------------------

A/S KK88 - GigaShopS

 <http://www.gs.no> www.gs.no

 

From: Smokin Chevy [mailto:chevy4x4burb@gmail.com] 
Sent: 11. oktober 2010 16:42
To: Shorewall Users
Subject: Re: [Shorewall-users] Hardware requirements

 

I will be pushing 25 - 30 Mbps at this point.  This will have a private
internal network with "Average" usage behind it.  Up until now I have
always
had a FreeBSD box doing this job with no port forwards (Basically just an
internet sharing role).  I plan on redoing the box as it has started having
slight hardware issues and decided to go Ubuntu/Shorewall since that is what
they use at my work (which I took over as IT Manager and admin the box).
Now the only networking changes that I am considering doing is moving some
public servers to behind it.  I have had a FreeBSD email server, Ubuntu
Asterisk server, CentOS Web server, and a Windows 2k8 server open to the
internet with real world IP addresses.  I know, everyone is cringing right
about now, but I have kept up with the local security on the boxes and not
had a problem.  The asterisk box is running showewall on it for it''s
own
protection (I cut out most of the crap out there by black listing Russia and
China).  Anyway, I have been thinking of moving those boxes to behind the
firewall.  At that point it will be routing for a half dozen low volume
websites and a half dozen email domains.

On Mon, Oct 11, 2010 at 9:00 AM, Roberto C. Sánchez <roberto@connexer.com>
wrote:

On Mon, Oct 11, 2010 at 08:06:50AM +0200, Simon Matter
wrote:
> > Does anyone have any suggestions for hardware requirements?  Will a
single
> > core have the same throughput as a dual core?  Amount of RAM?  I will
be
> > using Ubuntu Server.
>
> Do you want to push some Mbits/s or multi Gbits/s through your firewall
> and do you plan to handle VPN connections terminated on the same box? That
> can make a difference but without any information nobody can really tell
> you something useful.
>
It is also worth noting that if you wish to do traffic shaping that will
impact your hardware requirements as well.  It is worth noting that if
you plan to do traffic shaping or accounting, that will require more
powerful hardware.

However, Simon is right.  Without more details it is impossible to give
you anything resembling a sensible answer.

Regards,

-Roberto

--
Roberto C. Sánchez
http://people.connexer.com/~roberto
<http://people.connexer.com/%7Eroberto>
http://www.connexer.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBCAAGBQJMsxh5AAoJECzXeF7dp7IPgtUP/1zdIsgKwKuBP/9sOQ1FvWWg
Z7wdJgDpO9gP2PmIVLmClw2fUJYomxV5tjb2Clj5I3a3a+YOiASF0WQtyqHSZi0A
8lJB9z+kfRu0Z4jMz79+kznl3z6dqkEg+X1BCulMoFPK9IXzfBojOmNmqsOdD8St
yhKckqoCeIqNht+kHwazokTg+bTVpFvSJ3RZlBMtBSUOS8ZVnSNN662rbD7IcbAk
9UYxbr7SgNBklfX+qk5jKFgEXEoxTvnMOncAqBtEzioGZrPkSfd8YsbcgyC13h1C
OwAOyJkvcS5WvUal+TN6czy65v4FbcOdNv4bCbYCwdTm2Unb4nbL+qyv49cBlaVl
81QYEPV2pSp1DvSL1zj/6QthYplgNQmCpAF1VGRekZviyAZ+E/5DrXiP3z/Mt8Dz
USOUjyonzE+PacLKOhhZ6fc6MTRg1slQFjpQaI+CXletY2RsdZv+1BGcOaMvjERQ
jk1sRAFuFOEjJRZGogT7ABPMSCV3KuI4MZ3ODT8H6jqE2efPpq49kX6Y4E4E8A37
R/t454+zPReZrCUneJh621ArCb7Fuz0/xCTG8bjGc2LM1TregaROcYLqBcJj9Ikq
sDskQYv+/jwyb4m7qIKYjnEDNKmqTpdU9Cmhrnkn5HpnAE8GCqwi9TnphfyeycoR
v7J2VWfJh2UbGeGj0dkV
=Yaoo
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
--
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

 



------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

Smokin Chevy wrote:
>I will be pushing 25 - 30 Mbps at this point.  This will have a 
>private internal network with "Average" usage behind it.  Up until
>now I have always had a FreeBSD box doing this job with no port 
>forwards (Basically just an internet sharing role).  I plan on 
>redoing the box as it has started having slight hardware issues and 
>decided to go Ubuntu/Shorewall since that is what they use at my 
>work (which I took over as IT Manager and admin the box).  Now the 
>only networking changes that I am considering doing is moving some 
>public servers to behind it.  I have had a FreeBSD email server, 
>Ubuntu Asterisk server, CentOS Web server, and a Windows 2k8 server 
>open to the internet with real world IP addresses.  I know, everyone 
>is cringing right about now, but I have kept up with the local 
>security on the boxes and not had a problem.  The asterisk box is 
>running showewall on it for it''s own protection (I cut out most of 
>the crap out there by black listing Russia and China).  Anyway, I 
>have been thinking of moving those boxes to behind the firewall.  At 
>that point it will be routing for a half dozen low volume websites 
>and a half dozen email domains.
OK, as a performance point for comparison :
I have a Pentium III 1G running our external gateway. Our connection 
is a 6mbps uncontended service over fibre (shortly to be upgraded I 
hope). Actually there are two boxes, running keepalived for failover.

We have a full Class C (/24) subnet, I run accounting AND traffic 
shaping - but very little in the way of filtering as that''s done 
further downstream.

I''m doing traffic shaping with 6 groups of classes (4 classes per 
group, plus the parent in each group, plus a root) all running HTB. 
And of course, two sets, one in, one out.
Accounting is counting in and out traffic for each of the 254 
addresses. Both the sets of data are collected every minute.

Typical headers from top are like this :

top - 16:17:41 up 66 days, 23:51,  1 user,  load average: 0.00, 0.00, 0.00
Tasks:  68 total,   2 running,  66 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.7%us,  1.7%sy,  0.0%ni, 95.7%id,  0.0%wa,  0.0%hi,  2.0%si,  0.0%st
Mem:   1036092k total,   894468k used,   141624k free,   413336k buffers
Swap:  2939884k total,        0k used,  2939884k free,   418300k cached

Idle is mostly around 97 to 98% - and dips to perhaps 85% once a 
minute when the scripts collect the stats and update the rrd 
databases.
Oh yes, and the rrd files are shared out via nfs to another box that 
does fancy graphing. If I get it to draw graphs for all 254 IPs (both 
in and out), and four graphs in parallel (four different time ranges) 
then I can see idle drop to 60-something % for a second or two and 
instances of nfsd appear in the process list.

So reckon you can buy any hardware with less horsepower than a 1G 
PIII these days ?

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

Well, my choices are either the P4 2.53/533 with a couple gigs of ram that I
have on hand or make an order to newegg for a core2duo, MB, 4GB, and a
ATX2.0 PSU.



On Mon, Oct 11, 2010 at 10:26 AM, Simon Hobson
<linux@thehobsons.co.uk>wrote:
> Smokin Chevy wrote:
> >I will be pushing 25 - 30 Mbps at this point.  This will have a
> >private internal network with "Average" usage behind it.  Up
until
> >now I have always had a FreeBSD box doing this job with no port
> >forwards (Basically just an internet sharing role).  I plan on
> >redoing the box as it has started having slight hardware issues and
> >decided to go Ubuntu/Shorewall since that is what they use at my
> >work (which I took over as IT Manager and admin the box).  Now the
> >only networking changes that I am considering doing is moving some
> >public servers to behind it.  I have had a FreeBSD email server,
> >Ubuntu Asterisk server, CentOS Web server, and a Windows 2k8 server
> >open to the internet with real world IP addresses.  I know, everyone
> >is cringing right about now, but I have kept up with the local
> >security on the boxes and not had a problem.  The asterisk box is
> >running showewall on it for it''s own protection (I cut out
most of
> >the crap out there by black listing Russia and China).  Anyway, I
> >have been thinking of moving those boxes to behind the firewall.  At
> >that point it will be routing for a half dozen low volume websites
> >and a half dozen email domains.
>
> OK, as a performance point for comparison :
> I have a Pentium III 1G running our external gateway. Our connection
> is a 6mbps uncontended service over fibre (shortly to be upgraded I
> hope). Actually there are two boxes, running keepalived for failover.
>
> We have a full Class C (/24) subnet, I run accounting AND traffic
> shaping - but very little in the way of filtering as that''s done
> further downstream.
>
> I''m doing traffic shaping with 6 groups of classes (4 classes per
> group, plus the parent in each group, plus a root) all running HTB.
> And of course, two sets, one in, one out.
> Accounting is counting in and out traffic for each of the 254
> addresses. Both the sets of data are collected every minute.
>
> Typical headers from top are like this :
>
> top - 16:17:41 up 66 days, 23:51,  1 user,  load average: 0.00, 0.00, 0.00
> Tasks:  68 total,   2 running,  66 sleeping,   0 stopped,   0 zombie
> Cpu(s):  0.7%us,  1.7%sy,  0.0%ni, 95.7%id,  0.0%wa,  0.0%hi,  2.0%si,
>  0.0%st
> Mem:   1036092k total,   894468k used,   141624k free,   413336k buffers
> Swap:  2939884k total,        0k used,  2939884k free,   418300k cached
>
> Idle is mostly around 97 to 98% - and dips to perhaps 85% once a
> minute when the scripts collect the stats and update the rrd
> databases.
> Oh yes, and the rrd files are shared out via nfs to another box that
> does fancy graphing. If I get it to draw graphs for all 254 IPs (both
> in and out), and four graphs in parallel (four different time ranges)
> then I can see idle drop to 60-something % for a second or two and
> instances of nfsd appear in the process list.
>
> So reckon you can buy any hardware with less horsepower than a 1G
> PIII these days ?
>
> --
> Simon Hobson
>
> Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
> author Gladys Hobson. Novels - poetry - short stories - ideal as
> Christmas stocking fillers. Some available as e-books.
>
>
>
------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

On Monday, October 11, 2010, 17:26:27, Simon Hobson wrote:
> OK, as a performance point for comparison :
At work, we have 10Mbps symmetric link with about 30 computers in the
private network and 3 servers in public network. Router is running on
some ancient PackardBell Pentium 2 400MHz with 224MB RAM and network
cards from all over (it's got an Intel Pro 100, 3Com 3c905C and 3c905B
and some card with tulip kernel driver). No traffic shaping and
accounting, but a lot of port forwards, 6 ipsec tunnels and OpenVPN
for roadwarriors. The computer has no problems keeping up, and I'll
only replace it because I'm afraid the hard disk won't work much
longer. The computer is running Debian stable and shorewall.

At home I used to have an Alix 2c2 box (Geode LX800 500MHz, 256MB RAM,
2xVIA Rhine III on-board - <http://www.pcengines.ch/alix2d2.htm>),
which worked nicely until I upgraded my home line to 100Mbps symmetric
- it could only push around 80Mbps, so I replaced it with MSI
IM-945GSE-A board (Atom N270 1,6GHz, 2x Intel Pro/1000 on-board). I'm
running pfSense at home.

Recently SuperMicro released a mini-ITX Atom board with two Intel
Pro/1000 on-board cards, and I've heard from several people that it
works nicely as a firewall. It uses the newer dual-core Atom D510, and
would probably more than capable for 25-30Mbps (actually, for that
even an Alix board will probably suffice).

-- 
< Jernej Simončič ><><><><><
http://eternallybored.org/ >

People are always available for work in the past tense.
       -- Zymurgy's Law of Volunteer Labour


------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

That''s actually what I am running now.
30+ users on the network, dual ISP, no problems.
It just works, and since you have it there is no additional expense.

On 10/11/2010 12:49 PM, Smokin Chevy wrote:
> Well, my choices are either the P4 2.53/533 with a couple gigs of ram 
> that I have on hand or make an order to newegg for a core2duo, MB, 
> 4GB, and a ATX2.0 PSU.
>
>
>
> On Mon, Oct 11, 2010 at 10:26 AM, Simon Hobson <linux@thehobsons.co.uk 
> <mailto:linux@thehobsons.co.uk>> wrote:
>
>     Smokin Chevy wrote:
>     >I will be pushing 25 - 30 Mbps at this point.  This will have a
>     >private internal network with "Average" usage behind it. 
Up until
>     >now I have always had a FreeBSD box doing this job with no port
>     >forwards (Basically just an internet sharing role).  I plan on
>     >redoing the box as it has started having slight hardware issues and
>     >decided to go Ubuntu/Shorewall since that is what they use at my
>     >work (which I took over as IT Manager and admin the box).  Now the
>     >only networking changes that I am considering doing is moving some
>     >public servers to behind it.  I have had a FreeBSD email server,
>     >Ubuntu Asterisk server, CentOS Web server, and a Windows 2k8 server
>     >open to the internet with real world IP addresses.  I know,
everyone
>     >is cringing right about now, but I have kept up with the local
>     >security on the boxes and not had a problem.  The asterisk box is
>     >running showewall on it for it''s own protection (I cut out
most of
>     >the crap out there by black listing Russia and China).  Anyway, I
>     >have been thinking of moving those boxes to behind the firewall. 
At
>     >that point it will be routing for a half dozen low volume websites
>     >and a half dozen email domains.
>
>     OK, as a performance point for comparison :
>     I have a Pentium III 1G running our external gateway. Our connection
>     is a 6mbps uncontended service over fibre (shortly to be upgraded I
>     hope). Actually there are two boxes, running keepalived for failover.
>
>     We have a full Class C (/24) subnet, I run accounting AND traffic
>     shaping - but very little in the way of filtering as that''s
done
>     further downstream.
>
>     I''m doing traffic shaping with 6 groups of classes (4 classes
per
>     group, plus the parent in each group, plus a root) all running HTB.
>     And of course, two sets, one in, one out.
>     Accounting is counting in and out traffic for each of the 254
>     addresses. Both the sets of data are collected every minute.
>
>     Typical headers from top are like this :
>
>     top - 16:17:41 up 66 days, 23:51,  1 user,  load average: 0.00,
>     0.00, 0.00
>     Tasks:  68 total,   2 running,  66 sleeping,   0 stopped,   0 zombie
>     Cpu(s):  0.7%us,  1.7%sy,  0.0%ni, 95.7%id,  0.0%wa,  0.0%hi,
>      2.0%si,  0.0%st
>     Mem:   1036092k total,   894468k used,   141624k free,   413336k
>     buffers
>     Swap:  2939884k total,        0k used,  2939884k free,   418300k
>     cached
>
>     Idle is mostly around 97 to 98% - and dips to perhaps 85% once a
>     minute when the scripts collect the stats and update the rrd
>     databases.
>     Oh yes, and the rrd files are shared out via nfs to another box that
>     does fancy graphing. If I get it to draw graphs for all 254 IPs (both
>     in and out), and four graphs in parallel (four different time ranges)
>     then I can see idle drop to 60-something % for a second or two and
>     instances of nfsd appear in the process list.
>
>     So reckon you can buy any hardware with less horsepower than a 1G
>     PIII these days ?
>
>     --
>     Simon Hobson
>
>     Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
>     author Gladys Hobson. Novels - poetry - short stories - ideal as
>     Christmas stocking fillers. Some available as e-books.
>
>    
------------------------------------------------------------------------------
>     Beautiful is writing same markup. Internet Explorer 9 supports
>     standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
>     Spend less time writing and  rewriting code and more time creating
>     great
>     experiences on the web. Be a part of the beta today.
>     http://p.sf.net/sfu/beautyoftheweb
>     _______________________________________________
>     Shorewall-users mailing list
>     Shorewall-users@lists.sourceforge.net
>     <mailto:Shorewall-users@lists.sourceforge.net>
>     https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
>
------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2&  L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb