Memory Perfection

[sky-knight]

Quote:

Originally Posted by vertigo262

that works for me. I will use newer hardware with 64bit on my newer systems

Don't over do it. 100 users can be behind a UT server with 2gb of RAM easily. Throwing in gobs of RAM is just a waste, take those modules and put them in a workstation that needs an upgrade.

32bit Untangle is more than enough for most situations. The only time you need the 64 is in the relatively rare case of installing Untangle in a larger environment.

So if you don't have a data room... you don't need 64bit. It's really that simple.

[vertigo262]

Any stats on external users? for example. web surfers? let's say I have a website with huge external traffic?

[sky-knight]

Use the policy manager to route inbound TCP 80 traffic into its own rack that has a VERY limited set of services.

Or, use a bypass rule to send traffic to the web server unmolested by the UVM.

Do these things, if you do not, your Untangle will die a very painful death.

A few hundred hits worth of traffic going through your default rack with the AV modules scanning your own content will bring your UT server to its knees.

[RGPEC]

Quote:

Originally Posted by sky-knight

32bit Untangle is more than enough for most situations. The only time you need the 64 is in the relatively rare case of installing Untangle in a larger environment.

You seem extremely knowledeable aboout untangle, so I'm asking this to see your opinion:

My understanding is that running an os in 64 bit mode doesn't just increase access to more memory, it also only lets the cpu process 32 bits at a time rather than 64 - therefore running in 32 bit mode is wasting pretty much half of any cpu sold in the last few years.

From your experience of untangle, I expect you will prove me wrong, hence asking your opinion so I can learn

[sky-knight]

64bit processing has been around for ages. AMD64 architecture for the most part refers only to the memory bus. I think the 486 could do 64bit? I'd have to go look it up. Anyway, 64bit processing != 64bit memory bus.

Lower bit lengths are more efficient unless the OS and application can effectively use the larger bus.

For our purposes the only difference between the two architectures is access to ram. And my 100 user server has 2gb of ram in it stock. 4gb starts at the 500 user and works up from there. You don't need tons of RAM by modern standards for Untangle. Especially not if you're building for 10 people in a small office.

[vertigo262]

Quote:

Originally Posted by sky-knight

Use the policy manager to route inbound TCP 80 traffic into its own rack that has a VERY limited set of services.

Or, use a bypass rule to send traffic to the web server unmolested by the UVM.

Do these things, if you do not, your Untangle will die a very painful death.

A few hundred hits worth of traffic going through your default rack with the AV modules scanning your own content will bring your UT server to its knees.

So I have several untangles, some paid features and some not.

so on the paid
I can create a new rack. but only add firewall to it on inbound?

and then the lite
I can add a bypass rule.
this meaning in the firewall app?
just a direct 80 to web server only inbound?

[sky-knight]

The rack modules aren't directional. But you can define policies that match based on direction to simulate that if you wish.

The firewall module has nothing to do with NAT. So I'm not clear on what you want for the second question.

[vertigo262]

Quote:

Originally Posted by sky-knight

Use the policy manager to route inbound TCP 80 traffic into its own rack that has a VERY limited set of services.

what i was saying is. In order to do this technique. I need a higher version then the Light, which will work on some of my untangles.

But i didn't understand what to put in the new rack.

and also, what about the lite's I have where I can't add a new rack?

or am I not understanding what you mean

[sky-knight]

What do put in the new rack depends on your objective.

I'm just telling you that TCP 80 traffic is TCP 80 traffic. The UVM will intercept and process it exactly the same way regardless of direction.

This means those sessions generate load, and you have to determine what sessions you're going to scan, and what you're going to scan them with. If you don't you will over load your Untangle.

I use Intrusion Prevention, Firewall, and protocol control in the rack that defends my web server. What will you use? What modules make sense to you?

[vertigo262]

Well that's the thing. I like it as tight as possible due to the vast crap on the net.
especially on incoming 80.

protocol, spyware, antivirus, attack blocker, intrusion detection. that's off the top of my head.

Although, maybe untangle should be beefed up to utilize more resources if this is a common problem? now that we have large memory and multi Cpu processing systems.

I would think the majority of my features in the normal rack would be on port 80 incoming. although I don't use many of the features like webcache, etc. mainly the security features.