On Fri, Jun 07, 2002 at 12:10:09PM +1000, Rusty Russell wrote: > > If their firewall reboots and is running iptables and thus Linux: How > > long will it be down? > > 120 seconds to reboot with a fixed kernel...
Umm, OK, I shouldn't have compared the reboot time of my desktop pc with a tuned firewall/router pc. > > Which application will actually survive the down-time? > > Everything: it's just like a router going down. Yes, sure, but now let's look at where most (linux) firewalls are deployed: As (or at) the gateway to the internet. Your typical traffic there will consist of mail, web, p2p, ftp, online gaming, nntp and the occasional telnet/ssh/... Mail, p2p and nntp don't really care. If the connections breaks, so what? Let's try again (application). Web: If the connection breaks, the user will hit reload way before the firewall is back online; in addition large transfers can be resumed in many cases. ftp: you are right, although with current clients, reget and automatic retries are not uncommon. Online gaming, telnet/ssh/... depend on whether you are actively doing something when the connection goes down. If you do, even two minutes is too long ususally. Either your app has thrown you out with a ping timeout etc, or the user will become impatient and kill the connection anyway. > > Does this application really matter? > > Um, does connectivity matter 8) Sure, what I'm trying to say is, that in many (most) current uses, connectivity matters. It matters so much though, that it doesn't matter, whether packets belonging to active connections are dropped or not after a two minute downtime. They are de facto dead too. ciao PS: I'm the first who will admit, that there are other places/usages, where this will make a difference thouth, e.g. connecting Database Servers and clients through a firewall. If many client apps are idling, they will (hopefully) survive the downtime. -- Joerg Mayer <[EMAIL PROTECTED]> I found out that "pro" means "instead of" (as in proconsul). Now I know what proactive means.
