OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [fw-wiz] FW-1 throughput question
From: Darren Reed (darrenrreed.wattle.id.au)
Date: Tue May 16 2000 - 11:45:01 CDT

In some email I received from Dameon D. Welch-Abernathy, sie wrote:
> On Tue, May 16, 2000 at 06:54:31PM +1000, Darren Reed wrote:
>
> > > According to what I know, the kernel module does not take advantage of
> > > multiple processors.
> >
> > This is for FW-1 then ? If so, then that's another reason to can FW-1
> > and use IP Filter instead :-)
>
> But I didn't think the IP stack in Linux was SMP either (of course, FreeBSD
> probably has addressed this problem :-)
>
> What I knew was about 4.0. I do not know if 4.1 still holds true to that.
> Someone who actually works at Check Point would have to answer that question.

As far as I know, 4.0 does not run on Linux or FreeBSD so I fail to see how
they are relevant here.

> > > not, but take it for what it's worth. The Security Server processes *do*
> > > take advantage of multiple processors (have since 4.0).
> >
> > Err, what are you talking here - NT or Solaris ?
>
> Both.

Far out. At first you were saying FW-1 on Solaris was going to be slow
because of single threaded routing. I get the distinct impression you
originally had no idea about whether this was true or not - I put it to
you that it is multi-threaded unless there is some global lock I missed.

As it is, FW-1 should *not* be routing packets itself, although it may
single thread filtering (does anyone have an _authorative_ answer ?).

Darren