From owner-freebsd-questions@FreeBSD.ORG Sun Jan 2 14:32:19 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3109116A4CE for ; Sun, 2 Jan 2005 14:32:19 +0000 (GMT) Received: from internet.potentialtech.com (h-66-167-251-6.phlapafg.covad.net [66.167.251.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1B1C43D46 for ; Sun, 2 Jan 2005 14:32:16 +0000 (GMT) (envelope-from wmoran@potentialtech.com) Received: from working.potentialtech.com (pa-plum-cmts1e-68-68-113-64.pittpa.adelphia.net [68.68.113.64]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by internet.potentialtech.com (Postfix) with ESMTP id D9B0269A3F; Sun, 2 Jan 2005 09:32:15 -0500 (EST) Date: Sun, 2 Jan 2005 09:32:14 -0500 From: Bill Moran To: "Victor Foulk" Message-Id: <20050102093214.10d4b2e1.wmoran@potentialtech.com> In-Reply-To: <000001c4f09b$f67534d0$68bbbbc0@kewdaeahnhd04i> References: <000001c4f09b$f67534d0$68bbbbc0@kewdaeahnhd04i> Organization: Potential Technologies X-Mailer: Sylpheed version 1.0.0rc (GTK+ 1.2.10; i386-portbld-freebsd4.10) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD Gateway X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jan 2005 14:32:19 -0000 "Victor Foulk" wrote: > Hello all, > > I have been looking into setting up a network gateway > using a FreeBSD box, so that I may employ many of the > network security features of the system (and to > overcome the fact that the current network is > insecurely connected to a much larger ~public LAN). > > The configuration would be much like this: > {Internet}--{Huge/NastyLAN}--{FreeBSDGate}--{SafeLAN} > > Most of what I see states that I should use > a *minimum* of: > > 266Mhz processor > 64MB RAM > 1GB HD (actually ~2GB based on number > desired security apps) > 2 Compatible NIC's > > What I really had hoped to find, was more of an experienced > networking guru's thumb rule equating the number of safeLAN > workstations with the required gateway RAM/Processor; to > enable all safeLAN users to experience a minimal network > transaction time roughly equivalent to what they would see > if plugged directly into a really good hub. > Something maybe in the form of: > Proc Speed = X*Users+Y > RAM = W*Users+Z > > I am far too new at this to have a clue what numbers to use > to even approximate. Any advice on this matter would be most > appreciated. > Thanks! > Victor Unfortunatley, there isn't a simple way to develop such an equation. How much CPU/RAM you need is going to be dependant on more than just the number of computers involved. Two additional factors can play a large part: 1) The number of firewall rules and 2) the amount of traffic (such as UDP) that creates dynamic rules. Rules take time to process, and more traffic takes more time with more rules. UDP traffic usually requires stateful rules, and that generates dynamic rules, which increases the amount of time to process each packet. So it's important to design your ruleset carefully to avoid unnecessary processing. However, in my experience, the most critical hardware choice is the network cards themselves. Cheapo network cards will really hurt performance under load. So toss the cheapo Realtek cards into the trash and spend a little extra on an Intel or other name brand card designed for a server. As a general rule of thumb, I won't put FreeBSD on anything smaller than a 1Ghz with 128M of RAM and 4G of disk space. While you can get away with smaller, that's about the minimum before using the box for maintenance purposes becomes a terrible burdon. Try upgrading and rebuilding world on a 266! -- Bill Moran Potential Technologies http://www.potentialtech.com