[CentOS] Optimizing CentOS for gigabit firewall
Chan Chung Hang Christopher
christopher.chan at bradbury.edu.hk
Sun Dec 20 15:50:53 UTC 2009
Peter Serwe wrote:
> I'll second damn near everything nate said, and hopefully add a tidbit or
> If you're new to BSD, you may want to consider the pfsense project in the
> aforementioned active-active configuration.
> It gives you a nice, intuitive gui to manage your failover firewalls, if you
> insist on putting a firewall in front of your web servers.
> Better to secure the box, leave only the ports you need open on the public
> interfaces, and don't firewall them.
> Also, I'd strongly consider running your firewalls with no disk at all. A
> Live CD, CF card or USB Flash to boot off of, remote syslog and
> one less subsystem (disks) to buy/fail makes for some mighty cheap 1U
> servers. A single dual-core with core speeds above 3.0Ghz
> and 4GB of RAM is to pass Gb @ line rate - ethernet overhead. Truth be
> told, it's already being done on much less
/me going to try to get a diskless OpenBSD setup again.
> than that. You can also load balance your traffic, albiet somewhat
> primitively with it. If you really want massive throughput, consider toying
> around with extremely expensive 10G gear, size RAM appropriately, and see
> how PF performs under multi-processor, high-core speed.
> but if you're handling over a Gb of traffic and you can't split the
> application into multiple farms, that's the best move.
That part about high-core speed for OpenBSD pf is definitely on. The
multi-processor part...not too sure. Maybe with NUMA systems like what
you get on AMD Opteron platforms.
More information about the CentOS