Date: Mon, 07 Mar 2005 17:22:08 -0800 From: Ben Shelton <fbsd-pf@shelton.ca> To: freebsd-pf@freebsd.org Subject: pf choices Message-ID: <422CFE40.40703@shelton.ca>
next in thread | raw e-mail | index | archive | help
Hello, When researching firewall choices for a pretty large-scale (1.1Gbit max) connection, I initially had thought OpenBSD was the best choice because... well OpenBSD seems to be the default choice for PC-based firewalling. Then I reconsidered and chose FreeBSD for its support of the hardware (dual EM64T xeons, 2x dual gigabit cards), especially with the finer-grained locking, which I thought might help a bit with the load sharing across the cards. Initially I ran ipfw and it worked OK but there were little niggles about it, and recently switched to pf and have been quite happy. It doesn't seem quite as efficient, it runs about 5-10% higher interrupt load under top. I still have some tweaking to do too, so I can probably lower that, but the way pf splits out rules which (IMHO) really should be aggregated means there are >100k state entries most of the heavy hours, which obviously is not incredibly easy for anything to handle. I've wondered about a couple things here though: Is FreeBSD pretty optimal for using as a firewall in our situation, especially on that hardware? Might OpenBSD actually perform better with its "native" filtering solution? I have no real attachment to any particular platform here. I have to say pf is much nicer from a user standpoint than ipfw, the tools are very clean, it's nice to not have the firewall drop all states when reloading a ruleset, etc. I think I'd like to continue using pf, it's just the OS it sits on top of that's the variable I'd like to get set. Thanks for any comments. Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?422CFE40.40703>