From owner-freebsd-questions@FreeBSD.ORG Tue Jun 10 22:02:57 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6EC6D106567A for ; Tue, 10 Jun 2008 22:02:57 +0000 (UTC) (envelope-from perrin@apotheon.com) Received: from outbound-mail-149.bluehost.com (outbound-mail-149.bluehost.com [67.222.38.39]) by mx1.freebsd.org (Postfix) with SMTP id 477E88FC1D for ; Tue, 10 Jun 2008 22:02:57 +0000 (UTC) (envelope-from perrin@apotheon.com) Received: (qmail 26130 invoked by uid 0); 10 Jun 2008 22:02:55 -0000 Received: from unknown (HELO box183.bluehost.com) (69.89.25.183) by outboundproxy5.bluehost.com with SMTP; 10 Jun 2008 22:02:55 -0000 Received: from c-24-8-180-234.hsd1.co.comcast.net ([24.8.180.234] helo=kokopelli.hydra) by box183.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from ) id 1K6Bva-0001Ps-V5 for freebsd-questions@freebsd.org; Tue, 10 Jun 2008 16:02:55 -0600 Received: by kokopelli.hydra (sSMTP sendmail emulation); Tue, 10 Jun 2008 15:58:29 -0600 Date: Tue, 10 Jun 2008 15:58:29 -0600 From: Chad Perrin To: freebsd-questions@freebsd.org Message-ID: <20080610215829.GA79531@kokopelli.hydra> Mail-Followup-To: freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1yeeQ81UyVL57Vl7" Content-Disposition: inline User-Agent: Mutt/1.4.2.3i X-Identified-User: {737:box183.bluehost.com:apotheon:apotheon.org} {sentby:smtp auth 24.8.180.234 authed with ren@apotheon.org} DomainKey-Status: no signature Subject: re: firewall high-load performance X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2008 22:02:57 -0000 --1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Matthew Seaman wrote: > pf will perform very well. I don't know if anyone has benchmarked it > against ipfw, but I suspect that any difference in performance is pretty > minimal. If you're just doing packet filtering and using a fairly run of > the mill modern machine, you should be able to keep up with Gb wire speed > without problems. Actually, I tracked down the guy who had originally given a poor review of pf performance, and it turns out that the missing part of his review was related to use of dummynet for bandwidth management. Since I'm not planning to use dummynet for bandwidth management, that's not really a factor we need to consider. It looks like, at this point, pf is a good choice. >=20 > If performance is a limiting factor, then review your rule sets > carefully: > arranging things so that the most popular traffic types are handled as=20 > early as possible, knowing when to use tables vs. use address-list macros= =20 > and judicious use of quick rules can make quite a difference. >=20 > Also, /stateful/ rules are generally faster than stateless once you've > got > beyond the initial packet that establishes the state. Looking stuff up > in the state table is quicker and takes place earlier in the processing= =20 > sequence than traversing the rulesets. >=20 > High load may or may not be a problem depending on your traffic patterns. > I've seen pf firewalls suffer by running out of state-table space in > situations where there are a lot of fairly short-lived but low volume > network connections. The default is 10,000 states. If your firewall=20 > machine is dedicated to running pf and it has hundreds of MB if not GB > of=20 > RAM, then upping the size of some of those parameters by an order of=20 > magnitude is feasible, and works well. Thanks for the further elaboration. I'll keep all this in mind as I investigate the suitability of pf for this project. >=20 > On the whole I'd go with pf every time simply based on how much more > manageable it is compared to ipfw -- you have to try, hard, to lock > yourself out when reloading a new pf ruleset. Just one more reason pf is my favorite firewall. Thanks for the informative reply. By the way, apologies if this doesn't thread properly. I never got any messages from this thread in my inbox, and had to copy everything from the archive: http://lists.freebsd.org/pipermail/freebsd-questions/2008-June/176542.html For some reason, mutt doesn't seem to want me to alter headers to make it thread properly, and keeps throwing away my edits. --=20 Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ] Dr. Ron Paul: "Liberty has meaning only if we still believe in it when terrible things happen and a false government security blanket beckons." --1yeeQ81UyVL57Vl7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkhO+QUACgkQ9mn/Pj01uKXanwCg1ejpiSTiN6znMPrqSrAwitTT LUYAnR0CHpDnCZJ1hZxL3BXWxA7JqesH =4qoR -----END PGP SIGNATURE----- --1yeeQ81UyVL57Vl7--