[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Short question
I don't remember very well, but I think that you may need to put a
limit on the number of states so not to fill up all the memory. Other
than that, just for a fw i one fine machine. It may seem a bit slow
when doing ssh to it because the encryption really taxes te CPU. But
for just filternig, is OK. Don't try IPSec, though.
This would be a good question to Daniel. Does pf is more
[memory|bus|cpu] [bandwidth|latency|amount] constrained when NATing
200 machines? Is some easy way to test it? I don't have that setup to
make a test, but if someone can comeup with one, I'm willing to try.
Thursday, December 12, 2002, 1:58:29 PM, you wrote:
JN> As far as a packetfilter/bridge/router no sweat. If you intend on doing
JN> something such as running a web based mail server then it's a totally different
JN> issue. My ppro 200 when i'm connected using imp via imap the idle drops to
JN> maybe 20% and it's slow as anything. Also, wrapping webpages w/ ssl makes the
JN> load incredibly high. As far as just running http and sendmail though, it's not
JN> a problem. Then again using your box only for filtering is probably a better
JN> idea anyway :-)
JN> Quoting Adam Getchell <AdamG@hrrm.ucdavis.edu>:
>> A data point:
>> I helped someone set up on OpenBSD 3.1-current a Pentium 200 with 32MB of
>> RAM to filter 150+ Windows workstations on our University's LAN with a
>> typical 20 line ruleset, and the box hasn't dropped below 94% idle even with
>> clients simultaneously downloading Windows service packs.
>> They had to get a new switch, because the router couldn't deal with that
>> many addresses on one VLAN, but the box didn't break a sweat.
>> This also had the effect of freezing in place an ongoing break-in.
>> I've seen other University colleagues deploy and then throw away several
>> thousand dollar vendor firewall/switches, because they couldn't get them to
>> work properly even after extended "vendor support", and the failures kept
>> freezing their network until their department chairs said "Enough!".
>> > -----Original Message-----
>> > From: Anders Rosvoldaunet [mailto:firstname.lastname@example.org]
>> > Sent: Wednesday, December 04, 2002 6:02 AM
>> > To: email@example.com
>> > Subject: Short question
>> > Just a simple, yet quite complicated question; will a Pentium
>> > MMX 166Mhz
>> > with 32MB of RAM work as a pf-ing bridge between a network
>> > with 200 - 250
>> > clients and the Internet? It's running altqd as well. The two
>> > NICs used are
>> > high quality; one xl0 and one fxp0 card.
>> > ---
>> > Anders Rosvoldaunet
>> > firstname.lastname@example.org