[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: Short question



Hello James,
  I don't remember very well, but I think that you may need to put a
  limit on the number of states so not to fill up all the memory. Other
  than that, just for a fw i one fine machine. It may seem a bit slow
  when doing ssh to it because the encryption really taxes te CPU. But
  for just filternig, is OK. Don't try IPSec, though.
  This would be a good question to Daniel. Does pf is more
  [memory|bus|cpu] [bandwidth|latency|amount] constrained when NATing
  200 machines? Is some easy way to test it? I don't have that setup to
  make a test, but if someone can comeup with one, I'm willing to try.
Regards,
Alejandro Belluscio
Thursday, December 12, 2002, 1:58:29 PM, you wrote:
JN> As far as a packetfilter/bridge/router no sweat.  If you intend on doing
JN> something such as running a web based mail server then it's a totally different
JN> issue.  My ppro 200 when i'm connected using imp via imap the idle drops to
JN> maybe 20% and it's slow as anything.  Also, wrapping webpages w/ ssl makes the
JN> load incredibly high.  As far as just running http and sendmail though, it's not
JN> a problem.  Then again using your box only for filtering is probably a better
JN> idea anyway :-)
JN> James
JN> Quoting Adam Getchell <AdamG@hrrm.ucdavis.edu>:
>> Anders,
>> 
>> A data point:
>> 
>> I helped someone set up on OpenBSD 3.1-current a Pentium 200 with 32MB of
>> RAM to filter 150+ Windows workstations on our University's LAN with a
>> typical 20 line ruleset, and the box hasn't dropped below 94% idle even with
>> clients simultaneously downloading Windows service packs.
>> 
>> They had to get a new switch, because the router couldn't deal with that
>> many addresses on one VLAN, but the box didn't break a sweat.
>> 
>> This also had the effect of freezing in place an ongoing break-in.
>> 
>> I've seen other University colleagues deploy and then throw away several
>> thousand dollar vendor firewall/switches, because they couldn't get them to
>> work properly even after extended "vendor support", and the failures kept
>> freezing their network until their department chairs said "Enough!".
>> 
>> --Adam
>> 
>> > -----Original Message-----
>> > From: Anders Rosvoldaunet [mailto:anders@trondheim.online.no]
>> > Sent: Wednesday, December 04, 2002 6:02 AM
>> > To: pf@benzedrine.cx
>> > Subject: Short question
>> > 
>> > 
>> > Just a simple, yet quite complicated question; will a Pentium 
>> > MMX 166Mhz
>> > with 32MB of RAM work as a pf-ing bridge between a network 
>> > with 200 - 250
>> > clients and the Internet? It's running altqd as well. The two 
>> > NICs used are
>> > high quality; one xl0 and one fxp0 card.
>> > 
>> > ---
>> > Anders Rosvoldaunet
>> > anders@trondheim.online.no