Date: Wed, 11 Jun 2008 00:35:14 +0200 (CEST) From: Wojciech Puchar <wojtek@wojtek.tensor.gdynia.pl> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: firewall high-load performance Message-ID: <20080611003049.Y21896@wojtek.tensor.gdynia.pl> In-Reply-To: <484EA9AE.2010407@infracaninophile.co.uk> References: <20080610152240.GB66787@kokopelli.hydra> <484EA9AE.2010407@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> High load may or may not be a problem depending on your traffic patterns. > I've seen pf firewalls suffer by running out of state-table space in > situations where there are a lot of fairly short-lived but low volume > network connections. The default is 10,000 states. If your firewall machine is this state-table a hash table or something similar. if so - making it much bigger than CPU cache may actually slow down things because DRAM access latency is huge on modern machines. > On the whole I'd go with pf every time simply based on how much more > manageable it is compared to ipfw -- you have to try, hard, to lock > yourself out when reloading a new pf ruleset. i already learned well locking myself after making mistake in ipfw rules now i run screen and do something like that cd /etc cp firewall firewall.old cp firewall firewall.new <edit> firewall.new cp firewall.new firewall;/etc/rc.d/ipfw restart;sleep 100;cp firewall.old firewall;/etc/rc.d/ipfw restart then i have 100 seconds to quickly test new rules, at least to make sure i'm not locked.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080611003049.Y21896>