From owner-freebsd-security Thu Jun 25 01:29:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA20422 for freebsd-security-outgoing; Thu, 25 Jun 1998 01:29:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from iq.org (proff@polysynaptic.iq.org [203.4.184.222]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id BAA20411 for ; Thu, 25 Jun 1998 01:28:56 -0700 (PDT) (envelope-from proff@iq.org) Received: (qmail 14083 invoked by uid 110); 25 Jun 1998 08:28:30 -0000 To: sthaug@nethelp.no Cc: chuck+ipfilter@snew.com, 7gprn@qlink.queensu.ca, ipfilter@postbox.anu.edu.au, freebsd-security@FreeBSD.ORG Subject: Re: Firewall requirements References: <19980624104152.63811@yerkes.com> <28166.898701790@verdi.nethelp.no> From: Julian Assange Date: 25 Jun 1998 18:28:30 +1000 In-Reply-To: sthaug@nethelp.no's message of "Wed, 24 Jun 1998 17:23:10 +0200" Message-ID: Lines: 39 X-Mailer: Gnus v5.5/XEmacs 20.4 - "Emerald" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org sthaug@nethelp.no writes: > > You will not likely get 100Meg through a PC. I presume you will > > actually have multiple 100Meg cards? > > > > Now the processors are fast, but the caches are small and the bus > > speed aren't great. I haven't played with the 100MHz Motherboards > > yet, but I've not gotten close to that throughput on a consumer PC. > > I may be wrong; I last looked when Pentiums were reaching for 200MHz > > and they couldn't come close. > > I have no experience using ipfilter on a saturated 100 Mbps Ethernet > segment. But I can tell you that PCs have been able to send and receive > a full 100 Mbps data stream (no ipfilter) for quite a while. I measured > 95 Mbps (effective, application to application) on a lowly P-133 running > FreeBSD more than a year ago, using either ttcp or NetPerf. Network cards > were either DEC based or Intel Pro 100/B. > > A 400 MHz PII with BX chipset and 100 MHz bus should do considerably > better. > > Steinar Haug, Nethelp consulting, sthaug@nethelp.no 100Mb for ipfilter on a decent platform should be no problem. I haven't extensively tested ipfilter for speed, but I _have_ written a BSD packet "laundering" device (/dev/launder), which can steal a load of (;) of packets from the network, pass it through userland, wash it, and hang it out to dry on the network stack at over 100Mbps on a measly p100. Ipfilter has a lot less over-head and memory movement than this, and provided the mtu is large and the ruleset isn't hundreds of entries long, should be able to keep up with 100mps traffic quite easily. On an interesting side-note, I found routing packets through /dev/launder from a 10mps link actually improved tcp performance by 5%. Quite strange that. Cheers, Julian. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message