From owner-freebsd-questions@FreeBSD.ORG Tue Jun 10 15:27:07 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0D7B11065679 for ; Tue, 10 Jun 2008 15:27:07 +0000 (UTC) (envelope-from perrin@apotheon.com) Received: from outbound-mail-113.bluehost.com (outbound-mail-113.bluehost.com [69.89.24.3]) by mx1.freebsd.org (Postfix) with SMTP id E0CFC8FC0C for ; Tue, 10 Jun 2008 15:27:06 +0000 (UTC) (envelope-from perrin@apotheon.com) Received: (qmail 31151 invoked by uid 0); 10 Jun 2008 15:27:04 -0000 Received: from unknown (HELO box183.bluehost.com) (69.89.25.183) by outboundproxy3.bluehost.com with SMTP; 10 Jun 2008 15:27:04 -0000 Received: from c-24-8-180-234.hsd1.co.comcast.net ([24.8.180.234] helo=kokopelli.hydra) by box183.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from ) id 1K65kW-0002dN-Jr for freebsd-questions@freebsd.org; Tue, 10 Jun 2008 09:27:04 -0600 Received: by kokopelli.hydra (sSMTP sendmail emulation); Tue, 10 Jun 2008 09:22:40 -0600 Date: Tue, 10 Jun 2008 09:22:40 -0600 From: Chad Perrin To: FreeBSD Questions Message-ID: <20080610152240.GB66787@kokopelli.hydra> Mail-Followup-To: FreeBSD Questions Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="7ZAtKRhVyVSsbBD2" Content-Disposition: inline User-Agent: Mutt/1.4.2.3i X-Identified-User: {737:box183.bluehost.com:apotheon:apotheon.org} {sentby:smtp auth 24.8.180.234 authed with ren@apotheon.org} DomainKey-Status: no signature Subject: firewall high-load performance X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2008 15:27:07 -0000 --7ZAtKRhVyVSsbBD2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable My preferred firewall these days, for general use, is pf. I seem to recall someone who has used it in high-load scenarios that it can kinda choke at high loads, though I don't recall whether that was due to pf itself or the fact he was running it on OpenBSD. Until now, this has not been a concern for me. I may be getting involved in a commercial project in the near future that could very well involve handling very large numbers of connections dealing with potentially high bandwidth demands, however. The circumstances would require some QOS, and I'm thinking of using pf/ALTQ for this project, but I don't want to discover after we're well underway that large numbers of connections would cause problems. Should I consider ipfw or ipfilter instead, or are my concerns with relation to pf's ability to handle extremely high loads of legitimate traffic unfounded? --=20 Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ] H. L. Mencken: "Democracy is the theory that the common people know what they want and deserve to get it good and hard." --7ZAtKRhVyVSsbBD2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkhOnEAACgkQ9mn/Pj01uKW9lACg82CuQXZNSpGZQPXLAzR/l2N3 ZRIAn3Wq+jTIxP1Gz0hSlHYA1seOpfmM =j00r -----END PGP SIGNATURE----- --7ZAtKRhVyVSsbBD2--