Q: case studies about scalable, enterprise-class firewall w/ IPFilter

Jordi Espasa Clofent jespasac at minibofh.org
Wed Aug 6 10:49:03 UTC 2008 

> I'm amazed at the fact that people are actually comparing FreeBSD with
> pf to Juniper routers.  I've a bit of experience with M20s and M40s, and
> I can assure you they're VERY different than a little x86 PC routing
> packets, and are significantly faster due to hardware routing.
> 
> For example, you should be aware of a pf(4) bug that was only recently
> fixed.  Our FreeBSD systems only use ACLs + state track, and have low
> network I/O (600kbit/sec) -- yet this sort of thing impacts production
> packets on a webserver:
> 
> http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/125261
> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c
> 
> Max committed the fix to CURRENT, and it should be MFC'd on the 11th.  I
> hope it gets backported to RELENG_6 as well, since it's pretty major
> (IMHO).

Yes. That's my main personal reason to work with OpenBSD instead of 
FreeBSD when I need PF dedicated device.

> My point isn't to insult or poke fun at pf or FreeBSD.  I'm simply
> stating "if you really think an x86 box with pf is better than a
> Juniper, you're sadly mistaken".  I'm not telling you to go out and buy
> a Juniper either, especially if it's out of your price range -- but you
> really need to be more aware of the differences before toting the "my
> FreeBSD box can do the job better!" attitude.  I'm glad FreeBSD with pf
> works for you, though.

Good reasoning Jeremy.
I don't say that x86 pf-based box is better than Juniper. I only comment 
that, in my case, I do all I need with two standard boxes instead of 
expensive Juniper device. Anyway it's clear if one day the best solution 
is Juniper device, I will purchase it. But at present moment, isn't 
(300Mpbs/500Mpbs)

> On the other hand, I find it amusing that Juniper's routers use ATA
> disks.  A single disk failure results in the system becoming unusable
> administratively (requiring a reboot), while the routing engine still
> works fine (e.g.  packets are still routed properly, ACLs applied,
> etc.).  Config data is kept on CF, so that isn't lost.  You just can't
> SSH into it, and all you'll see on serial console is repetitive ATA and
> SMART errors.  I've seen this happen on three separate routers on three
> separate occasions at my workplace.

Interesting.
My OpenBSD+PF FWs runs at present with ATA disks also, but I'm designing 
a CF-based new implementation.

;)
-- 
Thanks,
Jordi Espasa Clofent

More information about the freebsd-hackers mailing list