firewall high-load performance

Matthew Seaman m.seaman at infracaninophile.co.uk
Tue Jun 10 16:20:14 UTC 2008 

Chad Perrin wrote:
> My preferred firewall these days, for general use, is pf.  I seem to
> recall someone who has used it in high-load scenarios that it can kinda
> choke at high loads, though I don't recall whether that was due to pf
> itself or the fact he was running it on OpenBSD.  Until now, this has not
> been a concern for me.
> 
> I may be getting involved in a commercial project in the near future that
> could very well involve handling very large numbers of connections
> dealing with potentially high bandwidth demands, however.  The
> circumstances would require some QOS, and I'm thinking of using pf/ALTQ
> for this project, but I don't want to discover after we're well underway
> that large numbers of connections would cause problems.  Should I
> consider ipfw or ipfilter instead, or are my concerns with relation to
> pf's ability to handle extremely high loads of legitimate traffic
> unfounded?
> 

pf will perform very well.  I don't know if anyone has benchmarked it
against ipfw, but I suspect that any difference in performance is pretty
minimal.  If you're just doing packet filtering and using a fairly run of
the mill modern machine, you should be able to keep up with Gb wire speed
without problems.

If performance is a limiting factor, then review your rule sets carefully:
arranging things so that the most popular traffic types are handled as 
early as possible, knowing when to use tables vs. use address-list macros 
and judicious use of quick rules can make quite a difference.

Also, /stateful/ rules are generally faster than stateless once you've got
beyond the initial packet that establishes the state.  Looking stuff up
in the state table is quicker and takes place earlier in the processing 
sequence than traversing the rulesets.

High load may or may not be a problem depending on your traffic patterns.
I've seen pf firewalls suffer by running out of state-table space in
situations where there are a lot of fairly short-lived but low volume
network connections.  The default is 10,000 states.  If your firewall 
machine  is dedicated to running pf and it has hundreds of MB if not GB of 
RAM, then upping the size of some of those parameters by an order of 
magnitude is feasible, and works well.

On the whole I'd go with pf every time simply based on how much more
manageable it is compared to ipfw -- you have to try, hard, to lock
yourself out when reloading a new pf ruleset.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080610/abb99bf3/signature.pgp

More information about the freebsd-questions mailing list