re: firewall high-load performance
- From: Chad Perrin <perrin@xxxxxxxxxxxx>
- Date: Tue, 10 Jun 2008 15:58:29 -0600
Matthew Seaman wrote:
pf will perform very well. I don't know if anyone has benchmarked it
against ipfw, but I suspect that any difference in performance is pretty
minimal. If you're just doing packet filtering and using a fairly run of
the mill modern machine, you should be able to keep up with Gb wire speed
without problems.
Actually, I tracked down the guy who had originally given a poor review
of pf performance, and it turns out that the missing part of his review
was related to use of dummynet for bandwidth management. Since I'm not
planning to use dummynet for bandwidth management, that's not really a
factor we need to consider. It looks like, at this point, pf is a good
choice.
If performance is a limiting factor, then review your rule sets
carefully:
arranging things so that the most popular traffic types are handled as
early as possible, knowing when to use tables vs. use address-list macros
and judicious use of quick rules can make quite a difference.
Also, /stateful/ rules are generally faster than stateless once you've
got
beyond the initial packet that establishes the state. Looking stuff up
in the state table is quicker and takes place earlier in the processing
sequence than traversing the rulesets.
High load may or may not be a problem depending on your traffic patterns.
I've seen pf firewalls suffer by running out of state-table space in
situations where there are a lot of fairly short-lived but low volume
network connections. The default is 10,000 states. If your firewall
machine is dedicated to running pf and it has hundreds of MB if not GB
of
RAM, then upping the size of some of those parameters by an order of
magnitude is feasible, and works well.
Thanks for the further elaboration. I'll keep all this in mind as I
investigate the suitability of pf for this project.
On the whole I'd go with pf every time simply based on how much more
manageable it is compared to ipfw -- you have to try, hard, to lock
yourself out when reloading a new pf ruleset.
Just one more reason pf is my favorite firewall.
Thanks for the informative reply.
By the way, apologies if this doesn't thread properly. I never got any
messages from this thread in my inbox, and had to copy everything from
the archive:
http://lists.freebsd.org/pipermail/freebsd-questions/2008-June/176542.html
For some reason, mutt doesn't seem to want me to alter headers to make it
thread properly, and keeps throwing away my edits.
--
Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ]
Dr. Ron Paul: "Liberty has meaning only if we still believe in it when
terrible things happen and a false government security blanket beckons."
Attachment:
pgpdDbK6ukFFT.pgp
Description: PGP signature
- Follow-Ups:
- re: firewall high-load performance
- From: Wojciech Puchar
- re: firewall high-load performance
- Prev by Date: Re: Remind me which filesystems exactly can be background fscked?
- Next by Date: Re: Remind me which filesystems exactly can be background fscked?
- Previous by thread: Re: firewall high-load performance
- Next by thread: re: firewall high-load performance
- Index(es):
Relevant Pages
|
