router metrics

[Leonard Isham]

On 12/20/05, Steven J Lamb <redhattedsheep at adiis.net> wrote:
> I have been looking at the information you guys gave me and it looks like
> some good tools. although I already have a bandwidth tester called ttcp
> which seems to work great. I guess what I want to know is how process
> intensive iptables gets to be. I am planning on routing aprox 4 class-c
> networks across a 10Mbit/second fiber media converter. I guess the questions
> I have is whether I can get away with using a Linux box or if I should buy a
> used Cisco router. I have essentially a spare server with two Giga bit
> Ethernet ports on it but I don't want to run my fiber through that if it is
> going to slow down my traffic. I don't yet have the equipment or the fiber
> so I can not do an empirical test. if I could then I would be able to do the
> try and tune method. so I guess my question is iptables specific. does any
> one out there know what parts of iptables costs a lot in cpu/memory. my
> spare server is really a dual xeon 2.8 GHz with 3 GB ram dual gigabit
> Ethernet and is currently running a small apache web and my spam assassin
> spam filters. it is by no means being overloaded now but I don't want to buy
> a media converter and find that I don't have the processor power.
>

Please don't top post.

Generally speaking:

- NAT increases latency and resource usage including memory.
- Connection tracking increases memory usage, but properly optimized
will decrease overall load and latency.
- Firewall optimization requires a understanding of your typical utilization.

As an example of optimization I managed a firewall with dual
fractional T-3 and multiple VPN connections, NAT, etc.  high traffic
times where between 6 AM - 6 PM  I moved my rules for low traffic
times to the end minimizing the impact to the busy production times.

--
Leonard Isham, CISSP
Ostendo non ostento.