Hello James, I don't remember very well, but I think that you may need to put a limit on the number of states so not to fill up all the memory. Other than that, just for a fw i one fine machine. It may seem a bit slow when doing ssh to it because the encryption really taxes te CPU. But for just filternig, is OK. Don't try IPSec, though. This would be a good question to Daniel. Does pf is more [memory|bus|cpu] [bandwidth|latency|amount] constrained when NATing 200 machines? Is some easy way to test it? I don't have that setup to make a test, but if someone can comeup with one, I'm willing to try.
Regards, Alejandro Belluscio Thursday, December 12, 2002, 1:58:29 PM, you wrote: JN> As far as a packetfilter/bridge/router no sweat. If you intend on doing JN> something such as running a web based mail server then it's a totally different JN> issue. My ppro 200 when i'm connected using imp via imap the idle drops to JN> maybe 20% and it's slow as anything. Also, wrapping webpages w/ ssl makes the JN> load incredibly high. As far as just running http and sendmail though, it's not JN> a problem. Then again using your box only for filtering is probably a better JN> idea anyway :-) JN> James JN> Quoting Adam Getchell <[EMAIL PROTECTED]>: >> Anders, >> >> A data point: >> >> I helped someone set up on OpenBSD 3.1-current a Pentium 200 with 32MB of >> RAM to filter 150+ Windows workstations on our University's LAN with a >> typical 20 line ruleset, and the box hasn't dropped below 94% idle even with >> clients simultaneously downloading Windows service packs. >> >> They had to get a new switch, because the router couldn't deal with that >> many addresses on one VLAN, but the box didn't break a sweat. >> >> This also had the effect of freezing in place an ongoing break-in. >> >> I've seen other University colleagues deploy and then throw away several >> thousand dollar vendor firewall/switches, because they couldn't get them to >> work properly even after extended "vendor support", and the failures kept >> freezing their network until their department chairs said "Enough!". >> >> --Adam >> >> > -----Original Message----- >> > From: Anders Rosvoldaunet [mailto:[EMAIL PROTECTED]] >> > Sent: Wednesday, December 04, 2002 6:02 AM >> > To: [EMAIL PROTECTED] >> > Subject: Short question >> > >> > >> > Just a simple, yet quite complicated question; will a Pentium >> > MMX 166Mhz >> > with 32MB of RAM work as a pf-ing bridge between a network >> > with 200 - 250 >> > clients and the Internet? It's running altqd as well. The two >> > NICs used are >> > high quality; one xl0 and one fxp0 card. >> > >> > --- >> > Anders Rosvoldaunet >> > [EMAIL PROTECTED]
