From owner-freebsd-questions@FreeBSD.ORG  Tue Jun 10 16:20:13 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CAB681065676
	for <freebsd-questions@freebsd.org>;
	Tue, 10 Jun 2008 16:20:13 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id F408E8FC0A
	for <freebsd-questions@freebsd.org>;
	Tue, 10 Jun 2008 16:20:12 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	(authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id
	m5AGK4A5046112 for <freebsd-questions@freebsd.org>;
	Tue, 10 Jun 2008 17:20:05 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.5.5 smtp.infracaninophile.co.uk m5AGK4A5046112
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
	d=infracaninophile.co.uk; s=200708; t=1213114805; bh=MrzgnbaQPqPQck
	2Ov5oHyCVnziOKUG3yqp6ZWAkHy20=; h=Message-ID:Date:From:MIME-Version:
	To:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type:
	Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes
	sage-ID:=20<484EA9AE.2010407@infracaninophile.co.uk>|Date:=20Tue,=2
	010=20Jun=202008=2017:19:58=20+0100|From:=20Matthew=20Seaman=20<m.s
	eaman@infracaninophile.co.uk>|Organization:=20Infracaninophile|User
	-Agent:=20Thunderbird=202.0.0.14=20(X11/20080607)|MIME-Version:=201
	.0|To:=20FreeBSD=20Questions=20<freebsd-questions@freebsd.org>|Subj
	ect:=20Re:=20firewall=20high-load=20performance|References:=20<2008
	0610152240.GB66787@kokopelli.hydra>|In-Reply-To:=20<20080610152240.
	GB66787@kokopelli.hydra>|X-Enigmail-Version:=200.95.6|Content-Type:
	=20multipart/signed=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D
	"application/pgp-signature"=3B=0D=0A=20boundary=3D"------------enig
	76D3F74FD8E44934FDAC281D"; b=KxCn3RFUYae2noV02Ndj+LqHiN3Z/iHqxykaga
	xEKt8ed950UJE91fVAdGktODvW5SvstzGHXwzU9rtNt2o30rNjnpxea0cYA3FmXf52J
	Pz7lRF0Y6T6lVw1khYil4zIiFWcthoaSIqcsMIxtzoG1ILo03qURxYRE6K0jb9AX+U=
Message-ID: <484EA9AE.2010407@infracaninophile.co.uk>
Date: Tue, 10 Jun 2008 17:19:58 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 2.0.0.14 (X11/20080607)
MIME-Version: 1.0
To: FreeBSD Questions <freebsd-questions@freebsd.org>
References: <20080610152240.GB66787@kokopelli.hydra>
In-Reply-To: <20080610152240.GB66787@kokopelli.hydra>
X-Enigmail-Version: 0.95.6
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="------------enig76D3F74FD8E44934FDAC281D"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0
	(smtp.infracaninophile.co.uk [IPv6:::1]);
	Tue, 10 Jun 2008 17:20:05 +0100 (BST)
X-Virus-Scanned: ClamAV version 0.93, clamav-milter version 0.93 on
	happy-idiot-talk.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.4
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
	happy-idiot-talk.infracaninophile.co.uk
Subject: Re: firewall high-load performance
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jun 2008 16:20:14 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig76D3F74FD8E44934FDAC281D
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Chad Perrin wrote:
> My preferred firewall these days, for general use, is pf.  I seem to
> recall someone who has used it in high-load scenarios that it can kinda=

> choke at high loads, though I don't recall whether that was due to pf
> itself or the fact he was running it on OpenBSD.  Until now, this has n=
ot
> been a concern for me.
>=20
> I may be getting involved in a commercial project in the near future th=
at
> could very well involve handling very large numbers of connections
> dealing with potentially high bandwidth demands, however.  The
> circumstances would require some QOS, and I'm thinking of using pf/ALTQ=

> for this project, but I don't want to discover after we're well underwa=
y
> that large numbers of connections would cause problems.  Should I
> consider ipfw or ipfilter instead, or are my concerns with relation to
> pf's ability to handle extremely high loads of legitimate traffic
> unfounded?
>=20

pf will perform very well.  I don't know if anyone has benchmarked it
against ipfw, but I suspect that any difference in performance is pretty
minimal.  If you're just doing packet filtering and using a fairly run of=

the mill modern machine, you should be able to keep up with Gb wire speed=

without problems.

If performance is a limiting factor, then review your rule sets carefully=
:
arranging things so that the most popular traffic types are handled as=20
early as possible, knowing when to use tables vs. use address-list macros=
=20
and judicious use of quick rules can make quite a difference.

Also, /stateful/ rules are generally faster than stateless once you've go=
t
beyond the initial packet that establishes the state.  Looking stuff up
in the state table is quicker and takes place earlier in the processing=20
sequence than traversing the rulesets.

High load may or may not be a problem depending on your traffic patterns.=

I've seen pf firewalls suffer by running out of state-table space in
situations where there are a lot of fairly short-lived but low volume
network connections.  The default is 10,000 states.  If your firewall=20
machine  is dedicated to running pf and it has hundreds of MB if not GB o=
f=20
RAM, then upping the size of some of those parameters by an order of=20
magnitude is feasible, and works well.

On the whole I'd go with pf every time simply based on how much more
manageable it is compared to ipfw -- you have to try, hard, to lock
yourself out when reloading a new pf ruleset.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


--------------enig76D3F74FD8E44934FDAC281D
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkhOqbQACgkQ8Mjk52CukIzPCACePEfyjY41uvNPaPHzkVMFevjd
6dAAnjC9WD+jvwUS8zLMLtV7pbMZlZM1
=du7a
-----END PGP SIGNATURE-----

--------------enig76D3F74FD8E44934FDAC281D--