sadas sadas wrote:
Hi, I want to configure CentOS on powerful server with gigabit adapters as transparent bridge and deploy it in front of server farm. Can you tell how to optimize the OS for hight packet processing? What configurations I need to do to achieve very hight speeds and thousands of packets?
iptables makes a TERRIBLE firewall, use pf instead
http://www.openbsd.org/faq/pf/index.html
Also consider how your going to provide redundancy, if you have a web server farm you want to protect them with at least two firewalls, not one.
http://www.openbsd.org/faq/pf/carp.html
I haven't used CARP myself but did setup a pair of pf firewalls about 5 years ago in a large network in bridging mode, the layer 3 fault tolerance was provided by OSPF on the core switches, the firewalls were active-active(with pfsync) since they were layer 2 only.
Maybe someday linux will fix the overly complex iptables system to something that is more manageable, not holding my breath though.
If you want really high speed(say multi GbE) though you'll want/need to go with an appliance based solution.
Also since your referring to a web server farm, it is perfectly acceptable to not use firewalls these days, if you have a good load balancer that serves the same role as a firewall in that it only passes traffic that you specifically configure it to pass. Also in high traffic environments the performance of load balancers destroys most firewalls, making investing in a high end firewall a very expensive proposition.
I've worked for the better part of the last 10 years with companies who did not have firewalls in front of their web servers for this reason, it didn't make sense $$ wise, because the benefit wasn't there, and the added complexity, and performance implications wasn't worth it either. Talk to most load balancing companies and they'll tell you this themselves.
nate