com ("Marcus J. Ranum") writes:
> Process creation and forking and all that stuff is an
> absolutely insignifcant delay. We're talking microseconds. Maybe
> a millisecond or 2 if you actually need to page [most UNIX boxes
> keep spare pages for startup overhead just against this case].
This is true (and the whole article is great, actually), but being able run
1000 forks/second isn't always enough because things can be a little more
complicated than that. The experience from here in the trenches is that
what really stresses firewall performance is Netscape. A user clicking on
one page can cause a dozen or more simultaneous opens across the firewall -
what this turns into is a dozen connections to inetd, each of which
requires a fork, exec sockd (open sockd executable and build page tables),
open sockd.conf, read and parse it, open sockd.route, read and parse it,
make outgoing connection and forward a 200-byte icon inbound, write log
files and close everything down. The firewall can be way overdesigned and
still be a busy little box for a few seconds, and if multiple users are
surfing at the same time then they'll feel the contention. This will
happen even if the CPU is 90% idle over the course of a day, since the load
is so bursty. You can't rely on the network to throttle the load either,
since you could be doing all this work for 10 KB of text and icons.
(I know this can be fixed by running the newest sockd standalone rather
than from inetd; this was only recently made possible.)
> I've actually not seen any real life reason to run multiple
> firewalls other than if someone was worried about failure and uptime.
> In that case, the complexity issue is not too bad: for failure
> resistance, the 2 machines need to be as independent as possible,
> which minimizes interdependencies and therefore complexity. Basically
> you have 2 standalone firewalls in parallel.
Yup, we do that here (and it does make a difference). This is mainly for
e-mail, since even if we have ftp proxying down for a few hours due to a
SCSI bus hang, we can't leave e-mail down for that long. A lot of the
people on the inside of the firewall here are Swedes and Australians who
perversely insist on working in the middle of the night.
The thing that makes parallel bastions hard is routing. If you've got
dual-homed opaque hosts wired up in parallel:
--------- host1 ---------
Inside ---| |---Router--- Outside
| 126.96.36.199 188.8.131.52 |
--------- host2 ---------
and you want to be able to reach either host at either address, then you
need host-routes from both sides, since network routes will stop one host
or the other from being reachable.
Tom Fitzgerald 1-508-967-5278 Wang Labs, Lowell MA, USA fitz @