Date: Thu, 16 Jan 2003 16:08:04 -0700 From: Nate Williams <nate@yogotech.com> To: Terry Lambert <tlambert2@mindspring.com> Cc: Josh Brooks <user@mail.econolodgetulsa.com>, Sean Chittenden <sean@chittenden.org>, freebsd-hackers@freebsd.org, nate@yogotech.com Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? Message-ID: <15911.15188.728351.631767@emerger.yogotech.com> In-Reply-To: <3E2739D1.5402B7A6@mindspring.com> References: <20030116124254.J9642-100000@mail.econolodgetulsa.com> <3E2739D1.5402B7A6@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > So, you say that a poorly configured netscreen is no better than a poorly > > configured freebsd+ipfw ... but what about the best possibly configured > > netscreen vs. the best possibly configured freebsd+ipfw ? > > The answer to that particular question depends on what you mean > by "configured". > > Netscreen hs integral load shedding in its stack. > > FreeBSD is actually adding pointers and other complexity to its > stack, to attribute packets with metadata for mandatory access > controls, and for some of the IPSEC and other stuff that Sam > Leffler has been doing. If you have IPSEC compiled into your > kernel at all, each coneection setup for IPv4, and the per > connection overhead for IPv4, is very, very high, because the > IPSEC code allocates a context, even if IPSEC is never invoked, > rather than using a default context. Except that it's acting as a router, and as such there is no 'setup' except for the one he is using to configure/monitor the firewall via SSH. In essence, a no-op in a dedicated firewall setup. FreeBSD timers used in > the TCP stack to not scale well (this is relative to your point > of view, e.g. they don't scale well to 1,000,000 connections, > but can be tuned to be "OK" for 10,000 connections). Again, you're missing the point. This is a dedicated firewall, not a firewall being used at the point of service. [ The rest of the irrelevant descriptions deleted ] Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15911.15188.728351.631767>