[NCLUG] Sizing Firewalls

Gary Rogers garyr at dmin.net
Sat Apr 7 07:08:40 MDT 2001 

Well this isn't too intricate, and I'll bet you'll get better answers,
but....

Take you handy dandy Linux laptop, and download a large packge, say XFree86
source from your favorite mirror, FROM OUTSIDE YOUR FIREWALL...

Then attempt the same from behind your firewall, use ncftp, or some other
FTP client that will give you a reliable average download speed. Make sure
that when you download your circut is loaded with users, so that you get an
accurate picture. The key to to generate stats over time, thus the large
download. My bet is that there is no difference between the two tests, or at
the least that it's minor.

The other thing you can try is running MRTG on your router, if you have the
SNMP community name. Then you should be able to see the utilization at any
given time.

You can also take a look at some Keynote stats (www.keynote.com look for the
internet health report) what your users might be seeing is problems between
backbone providers at the NAP's (Network Access Points)

So now you're looking for bottlenecks in three different points:
    1) the firewall.
    2) the line/router.
    3) the NAP between your backbone provider and the Internet.

Hope this helps

g:wq

----- Original Message -----
From: "Michael Dwyer" <mdwyer at sixthdimension.com>
To: <nclug at nclug.org>
Sent: Friday, April 06, 2001 3:48 PM
Subject: [NCLUG] Sizing Firewalls


> Hey, I've got a question for the group -- what are your thoughts on
> ipchains firewall sizing?  That is, what processor do you need to be
> able to move full bandwidth?
>
> Okay, so here is what I know:  A 486DX2/80 will move plenty of data, and
> happily route packets for years without appearing to break a sweat.  I
> know.  I've done this.  But one day, I replaced said box with a
> ppro/266 -- and the throughput increased noticeably.  But the 486 didn't
> seem overloaded -- the processor usage was around 2% or so...
>
> So, what size of a processor do you need to fill a T1?  How can you tell
> your firewall is a bottleneck if it doesn't appear to be working all
> that hard?
>
> What tools do you use to test firewall throughput?  TCPSpray?  pathchar
> reports 2.9Mb/s, but it was also dropping 15% of the frames.  Ping and
> traceroute test latency, but not really bandwidth.
>
> My users are reporting a lack of bandwidth, but I cannot see any
> problems locally, and they aren't buying the "That's just the way the
> internet is" explaination anymore. Is there a way I can prove to myself,
> and therefor my users, that their slow downloads aren't my fault? :)
>
>
> _______________________________________________
> NCLUG mailing list
> NCLUG at nclug.org
> http://www.nclug.org/mailman/listinfo/nclug
>

More information about the NCLUG mailing list