IPFW + BRIDGE: network capacity question

2003-10-24 Thread Mark Terribile 

Christopher Schulte writes:

 ...  I have an Intel D815EGEW board with a single PIII 1GHZ, ...
 Assume that it will be processing at peak all of this at once:
   500 TCP connections with long lived sessions ...
   500 UDP 'connections'
   500 web (HTTP port 80 tcp) connections per second (graphics,
   small html pages)
   The HTTP sessions will be short lived, so lots of TCP
 handshakes at *least* a good portion will not utilize persistant HTTP

It's been a while since I was inside HTTP, but you may have a problem.

When the remote end drops a TCP connection, you may re-use the port
immediately.  When you drop it, the protocol stack on your side must
wait 120 seconds (check the number!) before reusing that port number.
If you try to drop and re-use 500 connections per second, you will
run into this as there are only 65536 ports per address, and some of
them are reserved or wired down.

Someone else please check me on this.

Mark Terribile

__
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

IPFW + BRIDGE: network capacity question

2003-10-23 Thread Christopher Schulte 
Hello everyone.  I have an Intel D815EGEW board with a single PIII 1GHZ,
256MEG RAM, 2 Intel Pro 100MB cards.  This will  be used as an IPFW+bridging
firewall with FreeBSD 4.8 (RELENG_4_8, perhaps RELENG_4_9 when available).
My message is about network capacity.

Assume that it will be processing at peak all of this at once:
500 TCP connections with long lived sessions (an hour or more at a
time)
500 UDP 'connections'
500 web (HTTP port 80 tcp) connections per second (graphics, small
html pages)
The HTTP sessions will be short lived, so lots of TCP
handshakes
at *least* a good portion will not utilize persistant HTTP

The total bandwidth could be 20-50 megabits, mostly outbound to clients on
the internet.

Should I tweak the kernel at all for this? NMBCLUSTERS or NMBUFS?  Something
else?

For IPFW, I figure that adding accept rules that catch most of the packets
up front will help lower CPU usage.  Is this  correct?  Maybe allow TCP if
the session is established, allow setup of outbound TCP, allow setup of
incoming TCP/80,  allow outbound UDP packets to be happy, etc.

Does anyone see any possible issues with this configuration and the expected
network load?

Thank you, folks!  Any suggestions are very appreciated.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]