fbsd-pf at shelton.ca
Tue Mar 8 01:22:18 GMT 2005
When researching firewall choices for a pretty large-scale (1.1Gbit max)
connection, I initially had thought OpenBSD was the best choice
because... well OpenBSD seems to be the default choice for PC-based
firewalling. Then I reconsidered and chose FreeBSD for its support of
the hardware (dual EM64T xeons, 2x dual gigabit cards), especially with
the finer-grained locking, which I thought might help a bit with the
load sharing across the cards.
Initially I ran ipfw and it worked OK but there were little niggles
about it, and recently switched to pf and have been quite happy. It
doesn't seem quite as efficient, it runs about 5-10% higher interrupt
load under top. I still have some tweaking to do too, so I can probably
lower that, but the way pf splits out rules which (IMHO) really should
be aggregated means there are >100k state entries most of the heavy
hours, which obviously is not incredibly easy for anything to handle.
I've wondered about a couple things here though:
Is FreeBSD pretty optimal for using as a firewall in our situation,
especially on that hardware? Might OpenBSD actually perform better with
its "native" filtering solution?
I have no real attachment to any particular platform here. I have to
say pf is much nicer from a user standpoint than ipfw, the tools are
very clean, it's nice to not have the firewall drop all states when
reloading a ruleset, etc. I think I'd like to continue using pf, it's
just the OS it sits on top of that's the variable I'd like to get set.
Thanks for any comments.
More information about the freebsd-pf