pf choices

[Ben Shelton]

Hello,
When researching firewall choices for a pretty large-scale (1.1Gbit max) 
connection, I initially had thought OpenBSD was the best choice 
because... well OpenBSD seems to be the default choice for PC-based 
firewalling.  Then I reconsidered and chose FreeBSD for its support of 
the hardware (dual EM64T xeons, 2x dual gigabit cards), especially with 
the finer-grained locking, which I thought might help a bit with the 
load sharing across the cards.
Initially I ran ipfw and it worked OK but there were little niggles 
about it, and recently switched to pf and have been quite happy.  It 
doesn't seem quite as efficient, it runs about 5-10% higher interrupt 
load under top.  I still have some tweaking to do too, so I can probably 
lower that, but the way pf splits out rules which (IMHO) really should 
be aggregated means there are >100k state entries most of the heavy 
hours, which obviously is not incredibly easy for anything to handle.
I've wondered about a couple things here though:
Is FreeBSD pretty optimal for using as a firewall in our situation, 
especially on that hardware?  Might OpenBSD actually perform better with 
its "native" filtering solution?
I have no real attachment to any particular platform here.  I have to 
say pf is much nicer from a user standpoint than ipfw, the tools are 
very clean, it's nice to not have the firewall drop all states when 
reloading a ruleset, etc.  I think I'd like to continue using pf, it's 
just the OS it sits on top of that's the variable I'd like to get set.

Thanks for any comments.
Ben