Q: case studies about scalable, enterprise-class firewall w/
IPFilter
Jordi Espasa Clofent
jespasac at minibofh.org
Wed Aug 6 10:49:03 UTC 2008
> I'm amazed at the fact that people are actually comparing FreeBSD with
> pf to Juniper routers. I've a bit of experience with M20s and M40s, and
> I can assure you they're VERY different than a little x86 PC routing
> packets, and are significantly faster due to hardware routing.
>
> For example, you should be aware of a pf(4) bug that was only recently
> fixed. Our FreeBSD systems only use ACLs + state track, and have low
> network I/O (600kbit/sec) -- yet this sort of thing impacts production
> packets on a webserver:
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/125261
> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c
>
> Max committed the fix to CURRENT, and it should be MFC'd on the 11th. I
> hope it gets backported to RELENG_6 as well, since it's pretty major
> (IMHO).
Yes. That's my main personal reason to work with OpenBSD instead of
FreeBSD when I need PF dedicated device.
> My point isn't to insult or poke fun at pf or FreeBSD. I'm simply
> stating "if you really think an x86 box with pf is better than a
> Juniper, you're sadly mistaken". I'm not telling you to go out and buy
> a Juniper either, especially if it's out of your price range -- but you
> really need to be more aware of the differences before toting the "my
> FreeBSD box can do the job better!" attitude. I'm glad FreeBSD with pf
> works for you, though.
Good reasoning Jeremy.
I don't say that x86 pf-based box is better than Juniper. I only comment
that, in my case, I do all I need with two standard boxes instead of
expensive Juniper device. Anyway it's clear if one day the best solution
is Juniper device, I will purchase it. But at present moment, isn't
(300Mpbs/500Mpbs)
> On the other hand, I find it amusing that Juniper's routers use ATA
> disks. A single disk failure results in the system becoming unusable
> administratively (requiring a reboot), while the routing engine still
> works fine (e.g. packets are still routed properly, ACLs applied,
> etc.). Config data is kept on CF, so that isn't lost. You just can't
> SSH into it, and all you'll see on serial console is repetitive ATA and
> SMART errors. I've seen this happen on three separate routers on three
> separate occasions at my workplace.
Interesting.
My OpenBSD+PF FWs runs at present with ATA disks also, but I'm designing
a CF-based new implementation.
;)
--
Thanks,
Jordi Espasa Clofent
More information about the freebsd-hackers
mailing list