My experience with the TIS fwtk (see it on V-ONE's web site:
http://www.v-one.com/pubs/perf/amolitor/html/fwallperf.html
thanks, mjr) suggests that if what you're doing is shoveling
bulk data, a couple of ethernets worth should be no big deal. I was
able to get a few hundred Kbytes/sec through a 386SX25 with lousy
ethernet cards, and I cannot imagine that a 10x improvement using
a fast pentium and some good ethernet cards would be difficult.
Packet rate is a little sticky on a proxy firewall since:
1) the packet count on one side will only be approximately the
same as the other, at best, and may be quite a lot different
(many TCPs use bigger packets to 'local' hosts than to remote).
2) most proxies are built on a kernel that will copy packets
around some, so bigger packets will go through it slower
than smaller ones.
3) Probably lots of 2nd order effects from TCP timers interacting.
I speculate that things do not become really interesting until
either you're in the 100Mbit range, for bulk data rates. If you're dealing
with thousands of users at once, each doing a handful of fiddly little
transactions every minute, things also become interesting.
Andrew
|
|
