Iptables initialization

Jörg W Mittag Joerg.Mittag at Web.De
Sat Feb 14 08:12:39 PST 2004


Archaic wrote:
> On Fri, Feb 13, 2004 at 12:08:40PM -0500, Bill's LFS Login wrote:
>> As a point of curiosity for me, I have been interested in learning some
>> of the aspects of the overhead associated with filtering (effectively)
>> for security purposes. Haven't done any research yet, but if you know of
>> some docs that address issues such as increased latency, propagation
>> delays, effects on overall throughput, I would be interested. Or if you
>> happen to gather these metrics during your rework, that would be useful.
> Can't give any quick links, just an anecdotal. I used a 486SX/33 with
> 4MB of ram on a cable connection with no noticeable degradation. I was
> still averaging 240Kbps before and after the firewall was put up. This
> was on a 256Kbps (theoretical) connection. Upload also chugged along
> around 120Kbps, same as before. Personally, I would have to see
> degradation to believe it since I've personally seen the lack thereof.

A small ISP here in south west Germany uses cheap Linux boxes instead of
Cisco or Juniper as routers and packet filters in many places. They have
mainly Pentiums and a few 486 routing 10 and 100 MBit/s Ethernet lines.

Actually, it seems that the limiting factor is bus bandwith, not CPU power.
(ISA won't handle 100 MBit/s and PCI won't handle 1 GBit/s.) This is
especially true, if you don't use extra-cheap Taiwanese NICs, that don't
even have buffers and generate one interrupt for each and every frame they
receive, but even the slowest Pentium II should be able to saturate multiple
100 MBit/s Ethernet links using RealTek NICs.

jwm
-- 
gimp-1.2.5% ./configure
checking for intelligent life... not found



More information about the hlfs-dev mailing list