Smokin Chevy wrote: >I will be pushing 25 - 30 Mbps at this point. This will have a >private internal network with "Average" usage behind it. Up until >now I have always had a FreeBSD box doing this job with no port >forwards (Basically just an internet sharing role). I plan on >redoing the box as it has started having slight hardware issues and >decided to go Ubuntu/Shorewall since that is what they use at my >work (which I took over as IT Manager and admin the box). Now the >only networking changes that I am considering doing is moving some >public servers to behind it. I have had a FreeBSD email server, >Ubuntu Asterisk server, CentOS Web server, and a Windows 2k8 server >open to the internet with real world IP addresses. I know, everyone >is cringing right about now, but I have kept up with the local >security on the boxes and not had a problem. The asterisk box is >running showewall on it for it's own protection (I cut out most of >the crap out there by black listing Russia and China). Anyway, I >have been thinking of moving those boxes to behind the firewall. At >that point it will be routing for a half dozen low volume websites >and a half dozen email domains.
OK, as a performance point for comparison : I have a Pentium III 1G running our external gateway. Our connection is a 6mbps uncontended service over fibre (shortly to be upgraded I hope). Actually there are two boxes, running keepalived for failover. We have a full Class C (/24) subnet, I run accounting AND traffic shaping - but very little in the way of filtering as that's done further downstream. I'm doing traffic shaping with 6 groups of classes (4 classes per group, plus the parent in each group, plus a root) all running HTB. And of course, two sets, one in, one out. Accounting is counting in and out traffic for each of the 254 addresses. Both the sets of data are collected every minute. Typical headers from top are like this : top - 16:17:41 up 66 days, 23:51, 1 user, load average: 0.00, 0.00, 0.00 Tasks: 68 total, 2 running, 66 sleeping, 0 stopped, 0 zombie Cpu(s): 0.7%us, 1.7%sy, 0.0%ni, 95.7%id, 0.0%wa, 0.0%hi, 2.0%si, 0.0%st Mem: 1036092k total, 894468k used, 141624k free, 413336k buffers Swap: 2939884k total, 0k used, 2939884k free, 418300k cached Idle is mostly around 97 to 98% - and dips to perhaps 85% once a minute when the scripts collect the stats and update the rrd databases. Oh yes, and the rrd files are shared out via nfs to another box that does fancy graphing. If I get it to draw graphs for all 254 IPs (both in and out), and four graphs in parallel (four different time ranges) then I can see idle drop to 60-something % for a second or two and instances of nfsd appear in the process list. So reckon you can buy any hardware with less horsepower than a 1G PIII these days ? -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
