[Bda] un setup interessant

[skaya@enix.org]

[repiqué depuis la mailing list VLAN linux]

We have a project here using vlans to create "per-user" firewalling. Our
rules are created using groups and user accounts and some hooks in samba
provides the IP translation. To create the firewall between every servers
and the users, we are using proxy arp. Each server is on "private" vlan
and linux is on the 802.1q port.

By using proxy-arp, we do  not have to rework the IP network. The servers
keep the same IP. The proxy-arp entries are generated from the firewall
rules.

We expect to end up with 10,000 to 20,000 ipchain rules most of the time
(this moves as users log in and out).

To check the performance, we have created a worst case scenerio. It was
something like 256 users trying to access around 10 services on 10
differents servers and all the firewall rules to control that. We ended
with 130,000 rules (Don't try "ipchains -L" on that).

Then we clocked 300megabits/second. This was somewhat bias. This was using
tcp session (so larger packet) and we tested this using 6 workstations. So
cache was used optimally.

Yet, the server was still responsive and seemed to do nothing. A PIII-700
with PC100 ram. Make sure you are using chains and dispatch rules. So the
longuest sequence tested is below 100. Putting 2000 rules in a single
chain kills the server.

Note that such a PC has roughly 175megabytes/second memory bandwidth, so
the 300megaBITs (2 x 300 in fact, since packet are getting in and out) are
not so scary after all. Note that a PIII-800 with PC133 ram does about
300megabytes/second (memory bandwidth) and even better is available. So
there seem to be good potential to rock!

---------------------------------------------------------
Jacques Gelinas <jack@solucorp.qc.ca>
nt2linux: NT to Linux migration kit
http://www.solucorp.qc.ca/