Re: need help in setting up a demilitarized zone

[bsd]

Redmond Militante writes: 

hi all 

this gateway box is an dell optiplex gx150 pIII 930 mhz
with 128 mb of ram, 2 nics 

i would like this gateway box to protect our webserver,
our mysql server, and possibly another webserver. 
our webserver is a dual xeon dell poweredge 1650 with 2 gig of ram,
it gets sometimes more than 10 hits a day,
and is hooked up to a t100 line. 

will my little optiplex gateway box be able to keep up
with a webserver that's this busy? 

A PIII 930 can handle a LOT of traffic!  All it is doing is shuffling
packets - it should be ample for your needs!  And it has plenty RAM too. 

i know i at least have to replace the 3com 3c905b card on it,
as i'm pretty sure that that type of nic can't even handle a
t100 connection. 

For a DMZ you need 3 NICs.  You have an Intel NIC on-board(?), so why not
put 2 more new intel NICS in free PCI slots, and then you will be set. 

but - is the computer itself fast enough?

Plenty IMHO. 

Regards,
Patrick O'Reilly. 


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: need help in setting up a demilitarized zone

[Bill Moran]

Redmond Militante wrote:

hi all

so i have my gateway/ipfw/natd machine working, protecting a test client box. this gateway box is

 an dell optiplex gx150 pIII 930 mhz with 128 mb of ram, 2 nics - one integrated intel pro 1000,
 the other a really old 3com 3c905b that i pulled out of an old junker computer that we were going
 to throw out.


i would like this gateway box to protect our webserver, our mysql server, and possibly another

 webserver. our webserver is a dual xeon dell poweredge 1650 with 2 gig of ram, it gets sometimes
 more than 10 hits a day, and is hooked up to a t100 line.


will my little optiplex gateway box be able to keep up with a webserver that's this busy? i know

 i at least have to replace the 3com 3c905b card on it, as i'm pretty sure that that type of nic
 can't even handle a t100 connection. but - is the computer itself fast enough?

You don't say what kind of bandwidth the 100,000 hits/day equates to but assuming and average 15k/hit,
that equates to about 17k/sec on busy days.
If all you're doing on the Optiplex is ipfw filtering and port forwarding, I think it will keep up
just fine.  If you want it to be a reverse proxy, you may have to beef it up a bit (probably add RAM
for the proxy cache)
The Handbook has a statement on IPFWs performance at the end of the firewall section:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html
(it's all the way at the bottom) and the tests there seem to indicate that a 486/66 could handle
the load you describe.
There are other factors, though.  On your busy days, is the load spread out over all or most of the
24 hour period, or does 90% of it come during a 2 hour spike?  If it's spiking pretty hard, your
requirements might be well above the 17k/sec I estimated.


also - does anyone

 have any recommendations for a good 4 port hub or switch for this particular purpose? right now
 i'm using an old netgear en 104tp, which is probably not ideal.

Not familiar with the hub you describe, but if you're running 100mb/sec ethernet, you're not even
scraping the surface with the bandwidth I estimated.
Again, this could change if your busy days are caused by huge spikes over short periods of time
that you need to be able to handle.

--
Bill Moran
Potential Technologies
http://www.potentialtech.com


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message