Date: Tue, 28 Jan 2003 17:04:56 +0800 From: Shaun Dwyer <shaun@crystal.com.au> To: Mike Tancsa <mike@sentex.net> Cc: stable@FreeBSD.ORG Subject: Re: ipfw2 vs ipfilter Message-ID: <3E3647B8.8030103@crystal.com.au> In-Reply-To: <5.2.0.9.0.20030127143019.069e3380@marble.sentex.ca> References: <5.2.0.9.0.20030127143019.069e3380@marble.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
By the sounds of it you'll have quite a few rules defined... When you are testing with ipf, you may want to investigate 'rule grouping' I don't know if ipfw2 does grouping, it probably does (ive never used ipfw). Either way rule grouping speeds things up considerably with ipf and large rulesets according to all the docs ive read. --Shaun Mike Tancsa wrote: > > Hello all, > I am looking for information to help me decide which will offer the best > performance on a FreeBSD firewall with a LOT of interfaces (50+ vlan > ints). I had a search and didnt find anything specifically comparing > ipfw2 to ipfilter. Has anyone done any benchmarks ? If not, I am > probably going to take the time to try and simulate it here to see if I > can come up with some numbers. However, I thought I would ask first to > see if someone has gone through this exercise before. > > To test things, I was going to use netperf and iperf. Does anyone have > any better recommendations ? > > Fast ------- slower FreeBSD --------- Fast FreeBSD > FreeBSD Box acting as router box > > > And vary between ipfw2 and ipfilter on the slower box with a similar mix > of rulesets that I would want to use.... > > Rule wise, I am happy with either, except I would really miss ipfw's > concept of 'me'. e.g. ipfw add 5000 deny log tcp from any to me 2604. > It makes for much nicer rule writing, but underneath it all, I dont if > its any better than the 50 plus statements required in ipfilter. > > ---Mike > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet since 1994 www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E3647B8.8030103>