On Fri, 19 Jan 2007 at 13:42:43 +1300, Jasper Bryant-Greene wrote:
Thanks to everyone for their fast replies.
The firewalls are Pentium 4 2.8GHz boxes, only 256MB of RAM, but they're not swapping.
We're getting about 256Kbit/s absolute maximum through these boxes, whereas on the Ciscos we can sustain 8-10Mbit/s no problem in some tests, and burst much higher.
We can push ~100Mbit at around ~40000 simultaneous connections through our 1.7GHz P4 Celeron beige boxes and top out at about 70% CPU while running a libpcap-based traffic accounting application on the machines, so something's not right with your Shorewall. This is using the standard Centos 4.4 2.6 series kernel with a few patches for ratelimiting and TCP MD5. Our firewall rules are done by hand in a few init scripts. This won't suit everyone but it does allow us to fine tune things quite well. Nigel