[NCLUG] Sizing Firewalls

Michael Dwyer mdwyer at sixthdimension.com
Fri Apr 6 15:48:17 MDT 2001


Hey, I've got a question for the group -- what are your thoughts on
ipchains firewall sizing?  That is, what processor do you need to be
able to move full bandwidth?

Okay, so here is what I know:  A 486DX2/80 will move plenty of data, and
happily route packets for years without appearing to break a sweat.  I
know.  I've done this.  But one day, I replaced said box with a
ppro/266 -- and the throughput increased noticeably.  But the 486 didn't
seem overloaded -- the processor usage was around 2% or so...

So, what size of a processor do you need to fill a T1?  How can you tell
your firewall is a bottleneck if it doesn't appear to be working all
that hard?

What tools do you use to test firewall throughput?  TCPSpray?  pathchar
reports 2.9Mb/s, but it was also dropping 15% of the frames.  Ping and
traceroute test latency, but not really bandwidth.

My users are reporting a lack of bandwidth, but I cannot see any
problems locally, and they aren't buying the "That's just the way the
internet is" explaination anymore. Is there a way I can prove to myself,
and therefor my users, that their slow downloads aren't my fault? :)





More information about the NCLUG mailing list