On 12/20/05, Steven J Lamb <redhattedsheep@xxxxxxxxx> wrote: > I have been looking at the information you guys gave me and it looks like > some good tools. although I already have a bandwidth tester called ttcp > which seems to work great. I guess what I want to know is how process > intensive iptables gets to be. I am planning on routing aprox 4 class-c > networks across a 10Mbit/second fiber media converter. I guess the questions > I have is whether I can get away with using a Linux box or if I should buy a > used Cisco router. I have essentially a spare server with two Giga bit > Ethernet ports on it but I don't want to run my fiber through that if it is > going to slow down my traffic. I don't yet have the equipment or the fiber > so I can not do an empirical test. if I could then I would be able to do the > try and tune method. so I guess my question is iptables specific. does any > one out there know what parts of iptables costs a lot in cpu/memory. my > spare server is really a dual xeon 2.8 GHz with 3 GB ram dual gigabit > Ethernet and is currently running a small apache web and my spam assassin > spam filters. it is by no means being overloaded now but I don't want to buy > a media converter and find that I don't have the processor power. > Please don't top post. Generally speaking: - NAT increases latency and resource usage including memory. - Connection tracking increases memory usage, but properly optimized will decrease overall load and latency. - Firewall optimization requires a understanding of your typical utilization. As an example of optimization I managed a firewall with dual fractional T-3 and multiple VPN connections, NAT, etc. high traffic times where between 6 AM - 6 PM I moved my rules for low traffic times to the end minimizing the impact to the busy production times. -- Leonard Isham, CISSP Ostendo non ostento.