Re: FW-1 throughput question

["Dameon D. Welch-Abernathy" <dwelch () phoneboy com>]

On Wed, May 17, 2000 at 02:45:01AM +1000, Darren Reed wrote:
 
> > > This is for FW-1 then ?  If so, then that's another reason to can FW-1
> > > and use IP Filter instead :-)
> >
> > But I didn't think the IP stack in Linux was SMP either (of course, FreeBSD
> > probably has addressed this problem :-)
> >
> > What I knew was about 4.0. I do not know if 4.1 still holds true to that.
> > Someone who actually works at Check Point would have to answer that question.
>
> As far as I know, 4.0 does not run on Linux or FreeBSD so I fail to see how
> they are relevant here.

They *are* relevant with respect to IP Filter.
 
> > Both.
>
> Far out.  At first you were saying FW-1 on Solaris was going to be slow
> because of single threaded routing.  I get the distinct impression you
> originally had no idea about whether this was true or not - I put it to
> you that it is multi-threaded unless there is some global lock I missed.

I actually don't have any idea about this. I'm simply adding some facts
to the discussion to make our guesses more educated!

The Security Servers are a user-level process and work across different
processors, though you must run multiple instances of the security server
(one runs on each process). The FireWall-1 Device Driver is a kernel-level
process. They are different beasts and could theoretically act differently
from one another. 
 
> As it is, FW-1 should *not* be routing packets itself, although it may
> single thread filtering (does anyone have an _authorative_ answer ?).

FireWall-1 does not route packets itself. Never has, never will.
 
-- 
Dameon D. Welch-Abernathy                            a.k.a. PhoneBoy
dwelch () phoneboy com                          http://www.phoneboy.com
The views expressed herein are not necessarily those of anyone else.