Re[2]: Short question

Hello James,
  I don't remember very well, but I think that you may need to put a
  limit on the number of states so not to fill up all the memory. Other
  than that, just for a fw i one fine machine. It may seem a bit slow
  when doing ssh to it because the encryption really taxes te CPU. But
  for just filternig, is OK. Don't try IPSec, though.
  This would be a good question to Daniel. Does pf is more
  [memory|bus|cpu] [bandwidth|latency|amount] constrained when NATing
  200 machines? Is some easy way to test it? I don't have that setup to
  make a test, but if someone can comeup with one, I'm willing to try.
Alejandro Belluscio
Thursday, December 12, 2002, 1:58:29 PM, you wrote:
JN> As far as a packetfilter/bridge/router no sweat.  If you intend on doing
JN> something such as running a web based mail server then it's a totally different
JN> issue.  My ppro 200 when i'm connected using imp via imap the idle drops to
JN> maybe 20% and it's slow as anything.  Also, wrapping webpages w/ ssl makes the
JN> load incredibly high.  As far as just running http and sendmail though, it's not
JN> a problem.  Then again using your box only for filtering is probably a better
JN> idea anyway :-)
JN> James
JN> Quoting Adam Getchell <AdamG@hrrm.ucdavis.edu>:
>> Anders,
>> A data point:
>> I helped someone set up on OpenBSD 3.1-current a Pentium 200 with 32MB of
>> RAM to filter 150+ Windows workstations on our University's LAN with a
>> typical 20 line ruleset, and the box hasn't dropped below 94% idle even with
>> clients simultaneously downloading Windows service packs.
>> They had to get a new switch, because the router couldn't deal with that
>> many addresses on one VLAN, but the box didn't break a sweat.
>> This also had the effect of freezing in place an ongoing break-in.
>> I've seen other University colleagues deploy and then throw away several
>> thousand dollar vendor firewall/switches, because they couldn't get them to
>> work properly even after extended "vendor support", and the failures kept
>> freezing their network until their department chairs said "Enough!".
>> --Adam
