From owner-freebsd-hackers Thu Jan 16 15: 8:16 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A446737B401 for ; Thu, 16 Jan 2003 15:08:14 -0800 (PST) Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9BEE243F1E for ; Thu, 16 Jan 2003 15:08:13 -0800 (PST) (envelope-from nate@yogotech.com) Received: from emerger.yogotech.com (emerger.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id QAA00847; Thu, 16 Jan 2003 16:08:05 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by emerger.yogotech.com (8.12.6/8.12.6) id h0GN84UB068786; Thu, 16 Jan 2003 16:08:04 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15911.15188.728351.631767@emerger.yogotech.com> Date: Thu, 16 Jan 2003 16:08:04 -0700 To: Terry Lambert Cc: Josh Brooks , Sean Chittenden , freebsd-hackers@freebsd.org, nate@yogotech.com Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? In-Reply-To: <3E2739D1.5402B7A6@mindspring.com> References: <20030116124254.J9642-100000@mail.econolodgetulsa.com> <3E2739D1.5402B7A6@mindspring.com> X-Mailer: VM 7.07 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > So, you say that a poorly configured netscreen is no better than a poorly > > configured freebsd+ipfw ... but what about the best possibly configured > > netscreen vs. the best possibly configured freebsd+ipfw ? > > The answer to that particular question depends on what you mean > by "configured". > > Netscreen hs integral load shedding in its stack. > > FreeBSD is actually adding pointers and other complexity to its > stack, to attribute packets with metadata for mandatory access > controls, and for some of the IPSEC and other stuff that Sam > Leffler has been doing. If you have IPSEC compiled into your > kernel at all, each coneection setup for IPv4, and the per > connection overhead for IPv4, is very, very high, because the > IPSEC code allocates a context, even if IPSEC is never invoked, > rather than using a default context. Except that it's acting as a router, and as such there is no 'setup' except for the one he is using to configure/monitor the firewall via SSH. In essence, a no-op in a dedicated firewall setup. FreeBSD timers used in > the TCP stack to not scale well (this is relative to your point > of view, e.g. they don't scale well to 1,000,000 connections, > but can be tuned to be "OK" for 10,000 connections). Again, you're missing the point. This is a dedicated firewall, not a firewall being used at the point of service. [ The rest of the irrelevant descriptions deleted ] Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message