Dear Paul C Smedegaard
There is no hard limit on the size of the rulebase. But you will
run out of memory. You'll get an error message saying something
like 'memory exhausted' or some other error message about NAT
(can't remember) ; then see the manuals on how to add more memory
to the kernel module. You may also want to monitor the memory
usage with 'fw ctl pstat'.
I made some test with FW1 version 4.1 on Solaris 2.6, Ultra-10,
with 640Mb memory regarding the number of network objects, not
the number of rule in the rulebase. But I think they will give
you an idear about the size. Btw, Check Point has some calcula
tions avaiable on their web site for how much memory you'll need,
for different purpose (eg. NAT).
The kernel memory was ajusted to 9Mb.
My calculations shows how long time it takes to compile about 40
rules and a number of network objects. The firewall does filter
ing afterwards, without any significant performance degeneration.
Figures below:
Objects Real User Sys
7016 10:50.3 6:12.6 0.7
7270 10:23.1 6:40.7 0.8
...
34702 14:31.0 25.3 2.5
51466 6:33:44.1 5:42:49.0 43.0
...
56800 8:30:40.8 6:41:56.7 1:24.1
It takes much less time to comile an ipfilter rulebase on OpenBSD
with one filter line for each object. (A few minuts). And it does
the filtering equal fast with the same bandwidth.
Den 29 January (Mon), 2001 kl. 08:07:16PM -0500 skrev Smedegaard, Paul C:
> Here's the environment:
>
> HP-UX, 512MB RAM, Firewall-1 4.0
>
> Is there a theoretical maximum size or number of rules that I can have? If
> so, what are the parameters and input that go into this calculation? How
> can I increase the rulebase size if necessary? Any and all help is
> appreciated.
>
> Thanks, Paul
Venlig hilsen / Best regards, Thomas Haugård
--
Niels Thomas Haugård Office: + 45 35 87 88 89 _ __/|
UNI-C Fax: + 45 35 87 88 90 \'x X'
Vermundsgade 5 E-mail: [EMAIL PROTECTED] =(_o_)=
DK-2100 København Ø WWW: http://www.uni-c.dk U
Denmark. PGP key [EMAIL PROTECTED] |>o<|
My desk isn't messy - it's encrypted
PGP signature
