Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FW-1 throughput question

From: Aaron Turner <aturner () vicinity com>
Date: Wed, 17 May 2000 14:52:14 -0700 (PDT)

People who know more than I tell me so.  :)  I think I found it
mentioned once on SunSolve as well, but damned if I can remember where. 

Let me be clear here though.  If you're doing a lot of host (like a ftp
server) traffic, then yes, multiple CPU's will help you.  That does not
hit the routing "engine" of the Solaris kernel.  However in a firewall
application like FW-1, it does route packets between interfaces, which
would incurr the scaleablity hit.

-- 
Aaron Turner        aturner () vicinity com  650.237.0300 x252
Security Engineer                         Vicinity Corp.        
Cell: 408-314-9874                        http://www.vicinity.com

On Sat, 13 May 2000, Darren Reed wrote:


In some email I received from Aaron Turner, sie wrote:


The part of the Solaris kernel that routes packets (FW-1 is a router) is
single threaded.  Hence, max throughput is determined more by the speed of
the CPU than the number of CPU's.  Two CPU's is probably the sweet spot in
terms of price/performance for sites needing a lot of throughput.  (The
other CPU would be dedicated to other OS/Firewall tasks such as logging.)


Hmmm.  What makes you believe it is single threaded ?  I've not seen any
evidence which would support that theory.  I've definately seen crashes
where there have been numerous threads coming up through hmeread().  One
CPU per interface.

Darren
Previous By Date Next
Previous By Thread Next

Current thread: