Firewall Wizards mailing list archives
Re: FW-1 throughput question
From: Aaron Turner <aturner () vicinity com>
Date: Wed, 17 May 2000 15:19:40 -0700 (PDT)
On Wed, 17 May 2000, Darren Reed wrote:
In some email I received from Dameon D. Welch-Abernathy, sie wrote:On Tue, May 16, 2000 at 06:54:31PM +1000, Darren Reed wrote:According to what I know, the kernel module does not take advantage of multiple processors.This is for FW-1 then ? If so, then that's another reason to can FW-1 and use IP Filter instead :-)But I didn't think the IP stack in Linux was SMP either (of course, FreeBSD probably has addressed this problem :-) What I knew was about 4.0. I do not know if 4.1 still holds true to that. Someone who actually works at Check Point would have to answer that question.As far as I know, 4.0 does not run on Linux or FreeBSD so I fail to see how they are relevant here.
You said it was a reason to use IPFilter on Linux- which has a single threaded IP stack.
not, but take it for what it's worth. The Security Server processes *do* take advantage of multiple processors (have since 4.0).Err, what are you talking here - NT or Solaris ?Both.Far out. At first you were saying FW-1 on Solaris was going to be slow because of single threaded routing.
Neither Dameon or I said that. I said that routing on Solaris has a scalability problem that can't be solved by adding additional CPU's. Solaris's routing is actually quite fast for a "software router".
I get the distinct impression you originally had no idea about whether this was true or not - I put it to you that it is multi-threaded unless there is some global lock I missed.
I think you're getting Dameon confused with me. He never said the Solaris kernel routing engine is single threaded- I did. I honestly don't care if you believe me to be correct or not. You're not paying me for my opinion. Go call Sun, read SunSolve, or read the Solaris source code if you're so itchy to find out.
As it is, FW-1 should *not* be routing packets itself, although it may single thread filtering (does anyone have an _authorative_ answer ?).
I've asked Checkpoint. So far they haven't been able to tell me either way if 4.1's inspection engine is multi-threaded or not. -- Aaron Turner aturner () vicinity com 650.237.0300 x252 Security Engineer Vicinity Corp. Cell: 408-314-9874 http://www.vicinity.com
Current thread:
- FW-1 throughput question Randy Garbrick (May 05)
- Re: FW-1 throughput question Aaron Turner (May 12)
- Re: FW-1 throughput question Darren Reed (May 15)
- Re: FW-1 throughput question Dameon D. Welch-Abernathy (May 17)
- Re: FW-1 throughput question Darren Reed (May 17)
- Re: FW-1 throughput question Dameon D. Welch-Abernathy (May 17)
- Re: FW-1 throughput question Darren Reed (May 17)
- Re: FW-1 throughput question Dameon D. Welch-Abernathy (May 17)
- Re: FW-1 throughput question Darren Reed (May 17)
- Re: FW-1 throughput question Aaron Turner (May 19)
- Re: FW-1 throughput question Ryan Russell (May 19)
- Re: FW-1 throughput question Shaun Moran (May 21)
- Re: FW-1 throughput question Darren Reed (May 15)
- Re: FW-1 throughput question Aaron Turner (May 12)
- Re: FW-1 throughput question Aaron Turner (May 19)
- <Possible follow-ups>
- Re: FW-1 throughput question Alex Goldney (May 12)