From owner-freebsd-pf@FreeBSD.ORG Tue Mar 8 01:22:18 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A746316A4CE for ; Tue, 8 Mar 2005 01:22:18 +0000 (GMT) Received: from atlas.spiretech.com (atlas.spiretech.com [207.173.200.232]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5CE9143D3F for ; Tue, 8 Mar 2005 01:22:18 +0000 (GMT) (envelope-from fbsd-pf@shelton.ca) Received: from [192.168.0.110] (ben.shelton.ca [207.173.201.46]) (authenticated) by atlas.spiretech.com (8.11.6/8.11.6) with ESMTP id j281MHV28603 for ; Mon, 7 Mar 2005 17:22:17 -0800 Message-ID: <422CFE40.40703@shelton.ca> Date: Mon, 07 Mar 2005 17:22:08 -0800 From: Ben Shelton User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: pf choices X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Mar 2005 01:22:18 -0000 Hello, When researching firewall choices for a pretty large-scale (1.1Gbit max) connection, I initially had thought OpenBSD was the best choice because... well OpenBSD seems to be the default choice for PC-based firewalling. Then I reconsidered and chose FreeBSD for its support of the hardware (dual EM64T xeons, 2x dual gigabit cards), especially with the finer-grained locking, which I thought might help a bit with the load sharing across the cards. Initially I ran ipfw and it worked OK but there were little niggles about it, and recently switched to pf and have been quite happy. It doesn't seem quite as efficient, it runs about 5-10% higher interrupt load under top. I still have some tweaking to do too, so I can probably lower that, but the way pf splits out rules which (IMHO) really should be aggregated means there are >100k state entries most of the heavy hours, which obviously is not incredibly easy for anything to handle. I've wondered about a couple things here though: Is FreeBSD pretty optimal for using as a firewall in our situation, especially on that hardware? Might OpenBSD actually perform better with its "native" filtering solution? I have no real attachment to any particular platform here. I have to say pf is much nicer from a user standpoint than ipfw, the tools are very clean, it's nice to not have the firewall drop all states when reloading a ruleset, etc. I think I'd like to continue using pf, it's just the OS it sits on top of that's the variable I'd like to get set. Thanks for any comments. Ben