[CentOS] Theoretical Firewall Specs?

John R Pierce pierce at hogranch.com
Tue Jan 17 23:52:06 UTC 2012


On 01/17/12 3:36 PM, Jason T. Slack-Moehrle wrote:
> So, the more I look at various ways to lay out my infrastructure, the more I am thinking about specs for hardware.
>
> Starting with firewalling.
>
> How does one determine the specs for a firewall?
>
> What I mean is:
>
> 1. motherboard/CPU - p4? Dual-Core? Intel i3, i5, i7?
>
> 2. RAM? 4gb? 8gb? More? 32gb?
>
> 3. Obviously GB Nics!
>
> I am bring about 300gb of traffic a month right now and I expect that to increase significantly with my next offerings.
>
> Obviously one answer is to but a beefy motherboard that supports lots of RAM and add more as needed, but where does one start out?
>
> How do I know if my firewall would need more RAM?
>
> How do I know if the CPU is good enough?

a pure firewall at gigE speeds really doesn't need that much ram and 
only a fair-to-middling processor.  more than 2 cores would likely be 
wasted.   Its when you start layering other server functionality on top 
of the firewall system is when you need more hardware.

I'd expect with a firewall-centric OS distribution like pfSense, a dual 
core 2-3Ghz I3 could easily keep up with gigE and quite complex rule 
sets, several network zones.  No storage requirements at all, unless you 
plan on keeping your logging local on the firewall.   to maintain gigE 
throughput you'll want to use server grade NICs and not cheap desktop 
ones.  If you're using a lot of VPN encryption, more and/or faster CPU 
cores would be useful.  a few 100MB of ram is plenty for 100s of 1000s 
of concurrent connections, so unless you're doing other ram intensive 
stuff like Snort or NetTop, 1GB ram would be plenty.



-- 
john r pierce                            N 37, W 122
santa cruz ca                         mid-left coast




More information about the CentOS mailing list