From owner-freebsd-questions Fri Jan 17 7:27:25 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2316237B401 for ; Fri, 17 Jan 2003 07:27:24 -0800 (PST) Received: from mail.adelphia.net (pa-plum1b-166.pit.adelphia.net [24.53.161.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 32C0843E4A for ; Fri, 17 Jan 2003 07:27:23 -0800 (PST) (envelope-from wmoran@potentialtech.com) Received: from potentialtech.com ([172.16.0.95]) by mail.adelphia.net (8.12.3/8.12.3) with ESMTP id h0HFSVAg007569; Fri, 17 Jan 2003 10:28:31 -0500 (EST) (envelope-from wmoran@potentialtech.com) Message-ID: <3E282098.9080308@potentialtech.com> Date: Fri, 17 Jan 2003 10:26:16 -0500 From: Bill Moran User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20021127 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Redmond Militante Cc: freebsd-questions@freebsd.org Subject: Re: need help in setting up a demilitarized zone References: <20030117143601.GA2181@darkpossum> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Redmond Militante wrote: > hi all > > so i have my gateway/ipfw/natd machine working, protecting a test client box. this gateway box is > an dell optiplex gx150 pIII 930 mhz with 128 mb of ram, 2 nics - one integrated intel pro 1000, > the other a really old 3com 3c905b that i pulled out of an old junker computer that we were going > to throw out. > > i would like this gateway box to protect our webserver, our mysql server, and possibly another > webserver. our webserver is a dual xeon dell poweredge 1650 with 2 gig of ram, it gets sometimes > more than 100000 hits a day, and is hooked up to a t100 line. > > will my little optiplex gateway box be able to keep up with a webserver that's this busy? i know > i at least have to replace the 3com 3c905b card on it, as i'm pretty sure that that type of nic > can't even handle a t100 connection. but - is the computer itself fast enough? You don't say what kind of bandwidth the 100,000 hits/day equates to but assuming and average 15k/hit, that equates to about 17k/sec on busy days. If all you're doing on the Optiplex is ipfw filtering and port forwarding, I think it will keep up just fine. If you want it to be a reverse proxy, you may have to beef it up a bit (probably add RAM for the proxy cache) The Handbook has a statement on IPFWs performance at the end of the firewall section: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html (it's all the way at the bottom) and the tests there seem to indicate that a 486/66 could handle the load you describe. There are other factors, though. On your busy days, is the load spread out over all or most of the 24 hour period, or does 90% of it come during a 2 hour spike? If it's spiking pretty hard, your requirements might be well above the 17k/sec I estimated. > also - does anyone > have any recommendations for a good 4 port hub or switch for this particular purpose? right now > i'm using an old netgear en 104tp, which is probably not ideal. Not familiar with the hub you describe, but if you're running 100mb/sec ethernet, you're not even scraping the surface with the bandwidth I estimated. Again, this could change if your busy days are caused by huge spikes over short periods of time that you need to be able to handle. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message